Meta’s Privacy Policies: Designed Badly, by Design?
Justin Sherman / Nov 25, 2024
Anyone who’s ever used any digital service knows that privacy policies aren’t exactly picture books. Usually, they’re incredibly difficult to read. Research, polling, reporting, and personal experiences abound on why privacy policies are so bad these days: they are too long, use legalistic and inaccessible terminology, are presented as take-it-or-leave-it, and much more. None of this is new information (although, it’s all still a serious and widespread problem).
But less attention is often paid to how privacy policies themselves are displayed. As someone who has spent a substantial amount of time reviewing these policies across countless companies and platforms, in my work researching commercial data practices, I’ve come to regard one company as perhaps the worst of the lot in how it visually presents its policies: Meta. Regulators and lawmakers should take note.
How did it get this way?
The 20-year-old, US-based multinational conglomerate founded by Mark Zuckerberg has over three billion daily active users worldwide and operates products and services ranging from Facebook and Instagram to WhatsApp, Oculus, and AI models such as Llama. Yet, understanding what the company is collecting, inferring, and purchasing, let alone doing with individuals’ data, is made even more challenging by the way Meta incomprehensibly lays out its privacy policy language.
It is, to say the least, a test to think of any company besides Meta that puts so much effort into breaking up its privacy policies into probably hundreds of indigestible pieces, scattered across numerous websites and pages, with confusing hyperlinks, circular references to documents, no ability to comprehensively and functionally search across documents, and misleading or inaccurate statements about what specific pages describe to the viewer. In other words: it’s a usability disaster.
Searching “Meta privacy policy” online brings up a page on Facebook.com titled “What is the Privacy Policy and what does it cover?” It’s remarkably long. It’s broken up into many subsections. It’s difficult to search. It’s hard to navigate. And, at the time of this writing, that webpage alone had 168 links to various other webpages and pop-ups within the page.
If you click on just one of those, such as “Review the privacy policies of the other Meta companies,” it brings you to a page called “The Meta Companies” which then links to terms for Meta Payments, Facebook Payments International, and more. When I clicked on the EU privacy terms for Facebook Payments Limited International, it directed me to a page with no information on it that prompted me to log into a Facebook.com account. One page claims to tell you something useful and points to many other pages and popups, which also tell you you’ll get the information you want—if you just click one more hyperlink. It’s turtles all the way down.
Designing privacy information in this way makes it nearly impossible for the average user to understand what Meta does with respect to a specific product, service, or technology. Looking to learn what information is collected and transmitted via the Meta Pixel? If you’re hoping for a quick read, good luck. Meta breaks its Pixel documentation into numerous pages, and when you click on a link on the Pixel Advanced Matching page that claims to help you “learn what data is sent when using the Meta Pixel,” it directs you to the general page for Meta’s Transparency Center. Now, we’re back where we started above, with numerous subsections and 168 links and pop-ups. Only by pulling together information from many different webpages is it possible for a user to even see all the information Meta posts about what data the Meta Pixel can transmit. (That’s before attempting to understand it.)
Take another example. Maybe you’re concerned about Meta saying in February 2024 it would begin collecting what it called “anonymized” device usage data about Oculus headsets—at the same time as Meta ended consumers’ ability to use an Oculus Quest headset without creating a Meta account or linking it to an existing one. Well, learning about that topic is a nightmare, too. The webpage for “Legal Documents” about Quest devices links to dozens of different webpages, including a variety of “supplemental” policies and documents, that themselves have many links and subsections, again perpetuating the same design and layout problem. It would take hours just to pull together the information, before any work on consolidation and interpretation.
Meta didn’t always display its privacy information this way. But over the years, the company (once eponymously known for its first product, Facebook) has presented its privacy policy in an increasingly graphics-oriented format, riddled with drop-downs and buttons. The substance of that evolving set of privacy policies, as pointed out by nonprofit groups such as the Electronic Privacy Information Center, has made clear the company has continued to collect and use individuals’ data without meaningful consent. Yet, the days when users could use a little CTRL+F or CMD+F magic to search for words within a page are in the rearview mirror. Meta’s design and display decisions have made answering basic questions—such as “what data does Meta gather via virtual reality headsets?” or “from which apps and services does Meta collect fine-grained geolocation data?”—virtually impossible for the average user. You can’t even attempt to understand what you can’t easily access in the first place. Given how much effort this confusing design must take, that might be Meta’s very objective.
It’s worse by comparison
To be very clear, Meta is hardly the only problematic actor when it comes to privacy policies. As described above, privacy policies are rife with length, complexity, and other issues. Many companies drown their privacy policies in words like “could,” “might,” or “may,” and while it might make for fun semantic debate in a law class, these hypotheticals don’t tell readers what companies are actually doing with data. They also intentionally leave the door open to companies doing anything they want with individuals’ data tomorrow or five years from now.
The privacy policy for Google, for example, is not the most accessible document in the world and contains many such hypothetical statements and privacy loopholes. It also has lots of vague language. But Meta stands out even from its data-hoarding competitors like Google and TikTok in just how badly it presents its “privacy policy” information—and just how difficult it is, should you have a specific question about a specific service or product, to find concrete information about what Meta does with your data.
Where are the regulators?
At a certain point, there should be consequences for designing the layout and presentation of privacy policies in completely unreasonably segmented, obfuscating ways. Perhaps it’s worth an inquiry into whether such practices violate the US Federal Trade Commission Act and similar prohibitions on deceptive business practices. Legislators should prevent these bad practices in future privacy laws, too.
The FTC, for its part, has been clear in its enforcement decisions that companies should seek “affirmative express consent” from consumers before collecting and using their data. Doing so requires “clear and conspicuous disclosure” to consumers of the categories of data collected about them; the purposes of data collection, use, and disclosure; “a simple, descriptive URL (or hyperlink if technically possible) to a document that describes” this information; and “a simple, descriptive URL (or hyperlink if technically possible) to a simple, easily-located means by which the consumer can withdraw consent and that describes any limitations on the consumer’s ability to withdraw consent.” Otherwise, companies may be in violation of Section 5 of the FTC Act—and its prohibition on unfair or deceptive acts or practices.
Meta does not appear to clearly and conspicuously describe the data it collects about individuals. It does not have simple, descriptive URLs for these pages—in fact, any single privacy-related document on a Meta website could link to dozens or over 100 other pages and pop-ups that Meta purports provide additional information. Both of these points raise the question of whether Meta is deviating from practices the FTC has indicated are legally required.
Further, the FTC Act prevents deceptive practices in general—defined by FTC policy as “involving a material representation, omission, or practice that is likely to mislead a consumer acting reasonably in the circumstances.” If any number of pages on the Meta website that claim to provide consumers with information about privacy do not, in fact, provide and present said information in a reasonable manner (or, really, at all), it likewise raises the question of whether Meta might be violating the FTC Act by deceptively designing the layout of its privacy policy information.
Lawmakers working on privacy bills should not forget that substance and layout are important for privacy policies, to avoid these kinds of bad practices that bury information from consumers and regulators, further limit consumers’ ability to consent, and threaten individuals’ ability to exercise their privacy rights. New laws on privacy should require companies to make their privacy policies clearly laid out, on a single or just a few webpage(s), in an easily navigable and comprehensively searchable format. Regulators should also ask the question of whether certain kinds of presentations of privacy policies violate existing federal and state laws, introducing the need to investigate and potentially enforce compliance.
We’re long overdue for better laws, regulations, and technology practices for presenting data collection and use information to consumers. But in some cases, the design and presentation of privacy information is itself a serious problem—and Meta might just win the prize for “worst in show.”
Related Reading
Authors
