Faced with public outrage, congressional scrutiny, and a sweeping new data-privacy law soon to take effect in Europe, Facebook has vowed to better protect its users' privacy.
Nevertheless, the social-networking giant's current approach to collecting and using data from the millions of US teenagers on its platform – mostly, treating them the same as adults – will remain unchanged, according to both outside privacy experts and the company itself.
That includes new parental-consent requirements soon to be unveiled for some teens under the European Union's General Data Protection Regulation, or GDPR. Facebook has repeatedly said it will roll out GDPR-style measures to the rest of the world, although the details have been hazy. A spokesman for the company confirmed to Education Week that Facebook will not seek any additional parental consent from US users between the ages of 13-17.
“We can and will do more to help everyone, regardless of age, understand how Facebook works and the choices they have,” the Facebook spokesman said in a statement. “In recent weeks, we've simplified our privacy settings, introduced a clearer data policy, strengthened how we protect data, and committed to putting people in better control over their information.”
Still, privacy advocates said none of those changes will significantly narrow the nature and scope of the data on its US users, including teenagers, that the company collects, uses, or shares with advertisers.
“There's a lot of emphasis on notice and consent, but that's a very small slice of what modern data collection is really about,” said Marc Rotenberg, the president and executive director of the Electronic Privacy Information Centre, a privacy-advocacy group in Washington. “In much of the world, that kind of language is viewed as something companies do when they want to go ahead with business practices that might be controversial.”
Millions of teen Facebook users
Facebook has spent the past month under a harsh spotlight.
In March, the Guardian and the New York Times revealed that a third-party developer had used Facebook tools to harvest the personal data of 87 million Facebook users, then inappropriately shared that information with a British political consulting firm, which in turn used the information to target political advertisements to American voters as part of the effort to elect Donald Trump as president.
The fallout – including CEO Mark Zuckerberg's first appearance before US Congress – was swift.
Still, the K-12 sector has shown little inclination to stop using the platform.
Many schools and districts view Facebook as an essential marketing and communications tool, using it to for everything from announcing PTA meetings to keeping the public informed during crises.
Some educators also use the platform for private groups, to hold classroom discussions and as a way for students to share work.
Privacy advocates suggest that if schools do continue to use Facebook, they review their settings on the platform – to make sure that class groups are truly private, for example. Advocates also urge schools to not require that students use Facebook for schoolwork.
The privacy threats young people face don't come just from their schools' use of the platform, however.
As of 2015, 71% of 13- to 17-year-olds in the US used the platform, according to a survey by the Pew Research Centre. Other Facebook-owned platforms and services such as Instagram, Messenger, and WhatsApp are also highly popular with teens.
(Children under 13 are not legally allowed to create Facebook accounts in the US, although it is widely believed that many young children circumvent those rules, and Facebook offers directions for how to report underage accounts.)
There are also plenty of signs that young people's daily usage of Facebook remains high, and that they are very engaged by ads on the platform – even though newer platforms such as Snapchat are growing faster among teens and have a higher share of young users.
What data does Facebook collect from teens?
So how does Facebook protect the privacy of all those American teens?
There's some good news, but more bad news, said Linnette Attai, the founder of PlayWell, LLC, a privacy-consulting group that works with education and other groups.
“The company does provide additional safety information, messaging, and guidance for teens and parents,” Attai said.
An example: when teens want to share photos or content, the default setting is not “public”. If a teen tries to change that, Facebook will remind them of the possible implications of sharing something publicly.
There are three additional ways in which the company treats US teens differently from adults on its platform:
* Facial recognition is not available for US users under age 18. Teenagers cannot turn facial recognition on.
* Facebook doesn't apply all of the same advertising categories to US users ages 13-17 as it applies to adults. Teens should not be served ads for alcohol, for example.
* Facebook limits who can see or search for some sensitive information shared by US users under 18, including their hometown, school, and birthday.
Still, the company's data-collection practices are essentially the same for U.S. teens and adults.
“They collect all the information [users] provide, and there's also passive data collection that [users] aren't necessarily aware of,” Attai said. “Even for minors.”
For starters, that can include all the content and communications that users upload; information related to their religious and political views; health and relationship information; all their “likes” and other interactions on Facebook; location data; what they see through Facebook's camera; contacts of friends; what kind of computer, phone, and operating system users employ; and which WiFi access points and cell towers are nearby.
It can also include information that Facebook collects from other advertisers and app developers, including users' Internet-browsing histories, what they buy online; which ads they see elsewhere; and what games they play.
And, importantly, the company can collect the latter category of information “even if you're logged out or don't have a Facebook account”, according to an April 16 post in the company's online newsroom.
Facebook's recent privacy measures
Following the Cambridge Analytica revelations, Facebook announced a series of measures aimed at limiting the types of information third-party app developers can get from Facebook users and their friends.
Read directly from Facebook about its recent steps to address privacy concerns:
* Restricting developers' access to users' data
* Making it easier for users to find and change their privacy settings
* Making its Data Policy and Terms of Service easier to read
* Initiating changes related to the EU's General Data Protection Regulation, or GDPR
Last month, the company also began the process of shutting down a service through which it has historically allowed advertisers to use information from data brokers and other third parties to target advertisements to Facebook users.
The other steps announced by the company, however, are more focused on how people use Facebook than on how Facebook collects and uses people's data.
The company's recent updates to its Data Policy and Terms of Service, for example, were aimed at being more transparent and making those policies easier to read. But they did not change Facebook's underlying data-collection practices.
Facebook also recently redesigned its settings menu and some of its navigation tools in an effort to make it easier for users to see and change what apps they're using, what information they're sharing, and what kinds of ads they see on the platform.
And per the terms laid out in the European Union's General Data Protection Regulation, Facebook said earlier this month in a blog post that it will make available “new privacy experiences for everyone”, regardless of where they live.
Those changes include asking users to provide fresh consent for the company to collect and use sensitive information (such as political and religious views), employ facial recognition technology, and serve targeted ads based in part on users' web-browsing activity.
The company also said that under GDPR, “people between the ages of 13 and 15 in some EU countries need permission from a parent or guardian to allow some features on Facebook”, such as serving ads based on data from third parties or on users' own religious and political views.
Given Zuckerberg's repeated statements that Facebook would make GDPR-style “controls and settings available everywhere”, and not just in Europe, some observers wondered if Facebook would also seek similar parental consent from US teens.
But that will not be the case, the company confirmed.
Ultimately, Attai said, the changes don't dramatically alter the potential privacy risks that Facebook poses to US teens.
“They can opt out of certain advertising settings and have some control over how their data is used and shared,” Attai said. “But they can't say to Facebook, 'I don't want you to get my data in the first place'.” — Education Week/Tribune News Service