Following the Cambridge Analytica scandal, Facebook has officially updated its data policy for the first time in years, clarifying a number of details about how it collects and uses its users' personal data. There's a lot to parse out in Facebook's new data policy, which clocks in at about 4,200 words compared to the previous policy's 2,700, according to The Wall Street Journal. But the most important thing you need to know is that though this new policy doesn't actually ask you to agree to anything more than Facebook's old terms of service did, it reveals that Facebook has information on people who never agreed to its terms of service at all.
Facebook publicly posted proposed updates to the data policy on April 4, and gave users a period of seven days to submit feedback. In a statement posted April 4, Facebook executives said "[i]t's important to show people in black and white how our products work — it's one of the ways people can make informed decisions about their privacy." They added that the updated terms would be presented in simple language your everyday human uses, and would "spell out what data we collect and how we use it in Facebook, Instagram, Messenger and other products."
Now that the updated policy is here, we can dig deeper into what those promises actually look like in practice. Given what has happened with Cambridge Analytica and some of the answers about users' data from Facebook founder Mark Zuckerberg's testimony to the Senate, chances are you're most concerned about exactly how Facebook collects your data. As Zuckerberg reiterated multiple times during his testimony, Facebook has access to data its users feed to it, whether that's accepting your account being connected to a third-party app like Spotify or Candy Crush, or uploading your phone contacts and SMS history to find friends.
But Facebook's updated data policy also shows that Facebook collects a significant amount of information about the devices you use to access Facebook. If you use Facebook, it's able to see what the policy refers to as "device attributes," including "information such as the operating system, hardware and software versions, battery level, signal strength, available storage space, browser type, app and file names and types, and plugins."
On top of that, Facebook also collects information in a category referred to as "device operations." That category includes "information about operations and behaviors performed on the device, such as whether a window is foregrounded or backgrounded, or mouse movements." In the updated policy, Facebook says it collects mouse movement data because it can "help distinguish humans from bots."
Facebook can also figure out your location, which you likely knew, since you can turn on location settings for the app on your mobile phone. But we're talking about more than physical location here; we're also talking about your web presence. Facebook says it knows certain things about you from "information you allow us to receive through device settings you turn on, such as access to your GPS location, camera or photos." As The Wall Street Journal pointed out, though, "the company doesn't stop tracking your location when you turn off location services. The policy says it can get your location from other data points, including IP addresses and nearby Wi-Fi access points and cell towers."
Facebook also "uses location data — where you live, where you work, what businesses are close by, even people who are near you — to 'personalize and improve' its products," The Wall Street Journal reported.
As for your web presence, Facebook can use proximity data to determine that, as well. "Facebook acknowledges that it tracks you via outside website and app developers — including device information, the sites you visit, purchases you make and more. This happens whether or not you are logged into Facebook," The Wall Street Journal reported.
But the most startling bit of information about tracking is that "[Facebook] tracks you even if you don't have a Facebook account," according to The Wall Street Journal. Part of this may be the fact that Facebook says it can gather "information about other devices that are nearby or on your network."
Another aspect of Facebook's data policy is how Facebook plans to use your data. Well, the first thing you should know is that your data is consolidated across all Facebook products, including Facebook itself, Messenger, Instagram, WhatsApp, and virtual reality company Oculus. Specifically, Facebook's updated data policy says "Facebook and Instagram share infrastructure, systems and technology with other Facebook Companies [...] to provide an innovative, relevant, consistent and safe experience across all Facebook Company Products you use."
In practice, this can mean that "[i]f an account is, for instance, sending spammy texts in WhatsApp, the company will 'process information' from that account to 'take appropriate action' on its related accounts in Facebook, Instagram and Messenger," The Wall Street Journal reported.
As for sharing your information with third parties, Facebook's updated policy says it shares user data with partners who use Facebook's analytics services, advertisers, content creators or sellers who have partnered with Facebook, vendors and service providers (like customer service representatives), researchers and academics, and to law enforcement when legal requests are filed. "We don't sell any of your information to anyone, and we never will," Facebook says in its updated policy. "We also impose strict restrictions on how our partners can use and disclose the data we provide."
If any of this is unnerving to you, just remember Facebook has been collecting your information in this manner since you agreed to its terms of service during account signup. Nothing in the bones of Facebook's new data policy is different, but this updated version does, as Facebook promised, explicitly lay out some of the concerns users have been expressing since news broke about Cambridge Analytica allegedly scraping users' data.