Facebook Privacy Policy Explained — 8 Things They Don't Want You to Notice
At over 12,000 words, Facebook's (Meta's) privacy policy is longer than most short stories. It's also one of the most analyzed privacy documents in the world — and for good reason. We ran it through Nudam's weighted scoring system.
The result: Grade D — 3.8 out of 10. Facebook scores poorly not because it openly violates regulations — it's extremely careful about technical compliance — but because it systematically chooses the most data-extractive approach that regulations allow.
1. "Off-Facebook Activity" tracks you across the web
Facebook tracks your activity across millions of external websites and apps through the Meta Pixel, SDKs, and server-side integrations. Even if you never click an ad, your visits to health websites, financial services, dating apps, and news sites are logged and linked to your Facebook profile.
The "Off-Facebook Activity" tool lets you see some of this data, but clearing it doesn't stop future collection — it only disconnects past data from your profile. The tracking continues.
2. Facial recognition data collected from photos
Every photo and video you upload is processed by Meta's computer vision systems. While Meta publicly scaled back its facial recognition program in 2021, the privacy policy still permits collection of "face-related data" for purposes including "safety, security, and integrity." The broad language leaves the door open for future reactivation.
3. Messenger content is scanned
Facebook scans Messenger content for "safety" and "integrity" purposes. While end-to-end encryption is now the default for personal messages, metadata — who you messaged, when, for how long, your location during the conversation — remains fully accessible to Meta and is used for ad targeting and content recommendations.
4. Data flows to 5,000+ advertising partners
Meta's advertising partner ecosystem is vast. Your data flows to advertisers, measurement companies, data brokers, and "other partners" through multiple sharing mechanisms including Custom Audiences, Lookalike Audiences, and the Conversions API. The policy authorizes this sharing for "providing and improving products, safety, and research" — language broad enough to cover virtually anything.
5. Location tracking without GPS permission
Even if you deny GPS access, Facebook infers your location from IP addresses, Wi-Fi connection points, Bluetooth signals, nearby cell towers, and check-ins from your friends. This inferred location data powers hyper-local ad targeting — meaning advertisers can reach you based on where you physically go, even without explicit location permission.
6. Voice recordings from audio features
If you use voice features in Messenger, Instagram, or any Meta product, audio data is processed and may be retained. The policy includes broad rights to process audio recordings for "product improvement and development," with no clear retention limits specific to audio data.
7. Data retention is effectively indefinite
Facebook states data is kept "as long as necessary." For an account you've maintained for a decade, this effectively means everything accumulated over those ten years. Account deletion requests take up to 90 days to fully process, and Meta notes that some data "shared with others" or used by third parties may persist beyond deletion.
8. AI training on all user-generated content
Meta openly trains its Llama AI models and other machine learning systems on user-generated content — posts, photos, comments, interactions, and behavioral patterns. An opt-out form exists, but it requires navigating through multiple settings pages, submitting a request, and Meta reserves the right to deny the request if it determines a legitimate interest override applies.
The full score breakdown
Data Collection: 2/10 (weight 20%). Third-Party Sharing: 2/10 (weight 25%). User Rights: 6/10 (weight 20%). Data Retention: 3/10 (weight 15%). Security: 7/10 (weight 10%). Clarity: 4/10 (weight 10%). Weighted total: 3.8/10 — Grade D (Poor).
Credit where due: Facebook has improved transparency significantly over the years. The policy is findable, GDPR-required rights are documented, and security practices are above average. But the fundamental business model — harvesting maximum user data for advertising — hasn't changed, and the policy is written to enable it as broadly as possible.
Check Facebook's live score with all findings at nudam.app/scores/facebook.com.
Scores are generated by Nudam's AI analysis and reflect the written privacy policy. Learn about our methodology at nudam.app/methodology.