Do you know where your data is? Because Facebook doesn’t.

Facebook isn’t sure where all the data it collects on its users goes. Apparently neither is Twitter.

Consumer alerts

Social media companies know a lot about us.

Take Action

Revelations about the scale of data collection by social media companies, and the risks these practices pose to users, just keep on coming. At a Congressional hearing this week, a Twitter whistleblower alleged that it would be extremely difficult for the company to track down all the places the data it collects on its users ends up. Earlier this month in a court hearing, Facebook engineers admitted to the same problem. 

When the social media giants were getting their start, there were practically no rules or regulations they had to follow when it came to the new sprawling data collection and advertising apparatus they were building. According to reports, teams inside the companies were given extreme autonomy around what database tools they built and what data they could use to do it. The result was an incredibly complex system funneling data around these companies in ways that not even its engineers fully understand. 

Now, facing increasing (and much needed) regulations, the companies are grappling with what to do with the data wild west they’ve built. It appears that Facebook could be in violation of Europe’s General Data Practices Regulation (GDPR) that requires companies to be able to report why they collect the data they do and all the ways in which it’s used. According to a leaked document from earlier this year, Facebook is aware of these potential violations. As one engineer wrote, “we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation.”

What’s obvious is that this system needs an overhaul. A simple solution is to require companies to follow the principles of data minimization: companies should only gather data that’s strictly necessary for delivering the service a user is expecting to get, and use it for only that purpose. Requiring this standard would make it easier to hold companies to account for what they do with our data.


R.J. Cross

Director, Don't Sell My Data Campaign, PIRG

R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, consumer debt and predatory auto lending, and has testified before Congress. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder. Though she lives in Boston, she will always consider herself a Kansan at heart.