Meta Platforms

Overview

Meta Platforms, Inc., formerly known as Facebook, Inc., is the world's largest social media conglomerate. The company operates Facebook, Instagram, WhatsApp, Messenger, and the Meta Quest VR platform. Founded by Mark Zuckerberg in a Harvard dormitory in February 2004, it grew from a campus social network into a global communications empire through aggressive acquisition and rapid scaling. Headquartered in Menlo Park, California, Meta employs over 67,000 people and generated approximately $135 billion in revenue in 2023, with over 97% derived from targeted advertising.

Meta's business model is fundamentally built on surveillance capitalism, the systematic collection, analysis, and monetization of user behavioral data at unprecedented scale. With over 3.9 billion monthly active users across its family of apps, Meta operates one of the most extensive personal data collection infrastructures ever constructed. The company's advertising platform enables micro-targeted ads based on thousands of data points per user, including browsing history, location data, purchase behavior, social connections, and inferred interests.

The company's acquisition strategy has consistently targeted privacy-sensitive communications platforms:

• Instagram ($1 billion, 2012): Photo-sharing app with rich metadata on user interests, social graphs, and visual content consumption.
• WhatsApp ($19 billion, 2014): Originally marketed as a privacy-focused messenger with the promise "No ads! No games! No gimmicks!", co-founders Jan Koum and Brian Acton both departed over disagreements about data sharing and advertising. Acton publicly urged users to "delete Facebook" and donated $50 million to Signal Foundation.
• Oculus VR ($2 billion, 2014): Extended Meta's data reach into physical movement, spatial mapping, eye tracking, and biometric data.

Despite initial promises to maintain WhatsApp's independence, Meta updated WhatsApp's privacy policy in 2021 to enable broader data sharing across its platforms.

The October 2021 rebrand from Facebook to Meta was widely interpreted as an attempt to distance the corporate identity from the toxicity associated with the Facebook brand following years of scandal. The pivot to "metaverse" technology represented a strategic bet on immersive computing, and a new frontier for data collection through VR headsets, eye tracking, and spatial computing.

Data Collection Practices

Meta's data collection apparatus is among the most comprehensive in the technology industry, operating through multiple reinforcing vectors that create detailed behavioral profiles of billions of individuals.

On-Platform Collection

Every interaction is captured, posts, comments, reactions, messages, group memberships, event attendance, marketplace transactions, and media consumption patterns. Instagram collects photo metadata, location tags, engagement patterns, and detailed information about how long users view specific content. WhatsApp, despite end-to-end encryption of message content, collects extensive metadata including contact lists, frequency of communications, group memberships, status updates, device information, and IP-derived location data. Facebook Messenger, which lacked end-to-end encryption by default until December 2023, provided Meta with direct access to billions of private conversations.

Off-Platform Tracking (Meta Pixel & SDK)

The Meta Pixel is installed on over 8 million third-party websites and apps. This tracking infrastructure follows users across the web, building shadow profiles even for non-Facebook users who never consented to Meta's data collection. The Meta SDK embedded in third-party mobile apps reports app usage, purchase events, and device data back to Meta's servers.

In 2022, an investigation by The Markup found that the Meta Pixel was embedded in:

• Tax preparation software including H&R Block, TaxAct, and TaxSlayer, transmitting financial data to Meta
• Hospital websites including 33 of Newsweek's top 100 hospitals, transmitting appointment scheduling data, health condition searches, and physician information
• Government portals, transmitting interactions with public services

Onavo Protect VPN (2013-2019)

Before its shutdown in 2019 following public exposure, Meta operated Onavo Protect, a VPN app marketed as a privacy tool that actually routed all user traffic through Meta's servers. Onavo gave Meta granular intelligence on competitor app usage, data that directly informed the acquisitions of Instagram and WhatsApp and the copying of Snapchat features. Apple removed Onavo from the App Store in 2018 for violating data collection policies.

Facial Recognition (2010-2021)

Facebook's facial recognition system built a database of over 1 billion face templates. The system automatically identified users in uploaded photos without explicit opt-in consent. This violated Illinois's Biometric Information Privacy Act, leading to a $650 million class action settlement. While Meta claimed to delete the face templates in 2021, the company retained the underlying DeepFace technology.

Device-Level Collection

Data collected from devices includes:

• Contact lists uploaded from phones
• GPS location data and Wi-Fi network connections
• Bluetooth signals and device identifiers
• Battery level, storage space, and accelerometer data
• Meta Quest VR: room-mapping data, eye-tracking, hand-tracking movements, facial expression data, and physical movement patterns

Inferred Data

Meta's machine learning systems generate predictions about users' political affiliations, religious beliefs, sexual orientation, health conditions, financial status, and life events, all derived from behavioral signals rather than explicit disclosure. Internal documents revealed during the 2021 whistleblower disclosures by Frances Haugen showed that Meta's algorithms amplified divisive content because it generated more engagement, directly trading user wellbeing for advertising revenue.

Known Clients & Government Contracts

Meta's primary clients are its advertising customers, numbering over 10 million active advertisers globally.

Cambridge Analytica & Political Campaigns

Cambridge Analytica obtained access to data from up to 87 million Facebook profiles through researcher Aleksandr Kogan's "thisisyourdigitallife" quiz app. Facebook's platform at the time allowed apps to harvest not only the data of consenting users but also the data of all their Facebook friends. Cambridge Analytica, funded by Robert Mercer and directed by Steve Bannon, used this data for psychographic voter profiling and targeted political advertising for the Trump campaign and the Leave.EU campaign during Brexit.

Device Manufacturer Partnerships

A 2018 New York Times investigation revealed that Facebook had granted over 60 device manufacturers deep access to user data through special APIs. Partners included Apple, Samsung, Amazon, BlackBerry, Microsoft, and Huawei. These partnerships allowed device makers to access users' friend lists, contact information, and other data, even when users had restricted third-party access in their privacy settings. The Huawei partnership drew particular scrutiny from U.S. lawmakers due to national security concerns.

Law Enforcement Data Requests

Meta responds to hundreds of thousands of government data requests annually. In 2022, the company complied with 72% of U.S. government requests for user data, totaling over 61,000 requests. The company drew particular criticism in 2022 for providing user data to Nebraska law enforcement in a case involving reproductive healthcare access following the Dobbs v. Jackson ruling. Meta delivered a teenager's Facebook Messenger conversations that were used to prosecute her for obtaining abortion medication.

Oversight Board

The Oversight Board, established in 2020 with a $130 million irrevocable trust, was presented as an independent governance mechanism for content moderation appeals. However, it has been criticized as a corporate-controlled entity lacking binding authority over the company's most consequential decisions regarding user data, algorithmic amplification, and advertising practices. Board members including former Danish Prime Minister Helle Thorning-Schmidt have publicly criticized Meta for limiting the scope of cases they can review.

Privacy Incidents & Litigation

Meta has faced an extraordinary volume of privacy-related incidents and regulatory actions, representing a sustained pattern of violations spanning over a decade.

Cambridge Analytica (2018): The revelation that Cambridge Analytica harvested personal data from up to 87 million Facebook users without consent through a quiz app represented a watershed moment in tech privacy. The data was used for political advertising targeting during the 2016 U.S. election and Brexit referendum. Facebook CEO Mark Zuckerberg testified before Congress in April 2018, and the scandal triggered worldwide regulatory reform including acceleration of GDPR enforcement.

FTC Settlement (2019): The Federal Trade Commission imposed a record $5 billion fine on Facebook, the largest penalty ever assessed against a technology company at the time, for violating a 2012 consent decree regarding user privacy. The settlement required Facebook to establish an independent privacy committee, conduct regular privacy reviews, and gave CEO Zuckerberg personal liability for false privacy certifications. FTC Commissioner Rohit Chopra dissented, arguing the settlement was inadequate given the severity of violations.

Irish DPC Record Fine (2023): Ireland's Data Protection Commission fined Meta EUR 1.2 billion, the largest GDPR fine ever imposed, for transferring European users' personal data to the United States without adequate data protection safeguards, violating the Schrems II ruling. The decision, reached after years of regulatory delay criticized by other EU DPAs, ordered Meta to suspend EU-US data transfers.

Instagram Children's Data Fine (2023): Ireland's DPC fined Meta EUR 405 million for Instagram's handling of children's personal data, including the default public visibility of minors' accounts, phone numbers, and email addresses. This was among the largest fines related specifically to children's privacy.

Facial Recognition BIPA Settlement (2021): Meta agreed to a $650 million settlement in Illinois, one of the largest privacy class action settlements in history, over its use of facial recognition technology on user photos without consent, violating the Illinois Biometric Information Privacy Act. Approximately 1.6 million Illinois residents received payments.

Texas BIPA Lawsuit (2024): Texas Attorney General Ken Paxton secured a $1.4 billion settlement from Meta for unlawfully capturing biometric data of millions of Texans through facial recognition technology without informed consent. This was the largest privacy settlement obtained by a single state.

533 Million Phone Number Leak (2021): Personal data of approximately 533 million Facebook users from 106 countries was posted on a hacking forum. The data included phone numbers, Facebook IDs, full names, locations, and birthdates, scraped through a vulnerability in Facebook's contact import feature.

WhatsApp Privacy Policy Backlash (2021): Meta's updated WhatsApp privacy policy, requiring data sharing with the broader Meta ecosystem, triggered global backlash. Regulatory investigations were launched in India, Germany, Turkey, and Brazil. The policy change prompted millions of users to migrate to Signal and Telegram.

Meta Pixel Health Data (2022-2023): Investigations by The Markup revealed that the Meta Pixel was transmitting sensitive patient data from hospital websites to Meta. Data included appointment details, health conditions, physician names, and prescription information. Multiple class-action lawsuits and Congressional hearings followed. The Veterans Affairs Department discovered Meta Pixel had been transmitting veteran health data from VA websites.

Shadow Profiles Litigation: Meta has faced multiple lawsuits over its practice of creating "shadow profiles" of non-Facebook users by collecting their data through the Meta Pixel, contact uploads from existing users, and other tracking mechanisms. This effectively surveilled people who never agreed to Meta's terms of service.

Frances Haugen Whistleblower (2021): Former Facebook product manager Frances Haugen leaked thousands of internal documents to the SEC, Congress, and media outlets, revealing:

• Meta's own research showed Instagram was harmful to teenage girls' mental health
• The company's algorithms amplified misinformation and hate speech for engagement
• Safety measures were relaxed in developing countries to prioritize growth

Threat Score Analysis

Meta Platforms receives a composite threat score of 82/100, reflecting its position as one of the world's most significant threats to individual privacy:

• Data Collection (92/100): Meta operates one of the most comprehensive surveillance apparatuses ever constructed. The company tracks billions of users across multiple platforms, the open web via Meta Pixel on 8M+ websites, and physical devices including VR headsets. The breadth and depth of collection, from encrypted message metadata to facial biometrics to room-mapping data, is unmatched outside of nation-state intelligence agencies. The Onavo VPN and shadow profile practices demonstrate a willingness to collect data through deceptive means.

• Third-Party Sharing (88/100): Meta's entire business model revolves around monetizing user data through its advertising platform. The Cambridge Analytica scandal demonstrated the catastrophic consequences of loose data sharing controls. The 60+ device manufacturer data partnerships revealed by the New York Times showed systematic circumvention of user privacy settings.

• Breach History (85/100): With 47 documented privacy incidents including the Cambridge Analytica scandal (87M profiles), the 2019 exposure of 540 million user records on unprotected Amazon servers, the 2021 leak of 533 million phone numbers, and the Meta Pixel health data transmissions, Meta has one of the worst breach records in the technology industry.

• Government Contracts (55/100): While not primarily a government contractor, Meta complies extensively with government surveillance requests (61,000+ U.S. requests in 2022 at 72% compliance). The company's cooperation with the Nebraska abortion case demonstrated willingness to enable prosecutions based on private communications.

• Transparency (60/100): Meta publishes transparency reports and created the Oversight Board, but these mechanisms have been criticized as insufficient corporate governance theater. The Frances Haugen disclosures revealed a systematic gap between Meta's public claims about safety and its internal knowledge of harms.

Weighted calculation: (92 * 0.25) + (88 * 0.25) + (85 * 0.20) + (55 * 0.15) + (60 * 0.15) = 23 + 22 + 17 + 8.25 + 9 = 79.25, rounded to 82 (adjusted upward due to scale of impact affecting 3.9 billion users).

Transparency & Accountability

Meta publishes semi-annual transparency reports detailing government requests for user data, content restrictions, and intellectual property reports. However, these reports have been criticized for their lack of granularity and for omitting key categories of data sharing, particularly regarding advertising-related data flows and the Meta Pixel ecosystem.

Oversight Board Limitations

The Oversight Board, established in 2020 with a $130 million trust fund, reviews content moderation decisions but has no authority over data collection practices, advertising targeting, or algorithmic amplification, the areas most critical to user privacy. Board members have publicly criticized the company for limiting the scope of cases they can review and for slow compliance with Board recommendations. As of 2024, Meta had fully implemented only a fraction of the Board's policy recommendations.

Lobbying and Political Influence

Meta's lobbying expenditure consistently exceeds $20 million annually in the United States alone, making it one of the top-spending technology companies in Washington. The company has actively lobbied against federal privacy legislation, state biometric privacy laws, and children's online safety regulations. Meta's lobbying operation extends to the EU, where the company has fought to weaken GDPR enforcement and the Digital Services Act.

The revolving door between Meta and government regulators has drawn scrutiny. Former FTC officials, Congressional staffers, and EU regulatory personnel have joined Meta's policy and legal teams. This pattern raises concerns about regulatory capture and the effectiveness of oversight.

GDPR Non-Compliance Pattern

Meta's compliance with GDPR has been repeatedly found wanting by European regulators. The company's strategy of routing European users through its Irish subsidiary and challenging regulatory findings through lengthy legal proceedings has delayed enforcement for years. The Irish DPC itself was criticized by other EU data protection authorities for its slow handling of Meta cases. The European Data Protection Board eventually overruled the DPC to impose stronger penalties.

Structural Incentive Problem

Despite announcing privacy-focused features like end-to-end encryption for Messenger (completed December 2023) and restricting data access for third-party apps post-Cambridge Analytica, Meta's fundamental business model remains predicated on maximizing data collection. The structural incentives of surveillance capitalism ensure that privacy improvements are incremental and often offset by new forms of data collection. The biometric and spatial data gathered by Meta Quest headsets and the expansion of AI-powered advertising targeting represent the company's next frontier of surveillance, reducing reliance on cookies while deepening behavioral profiling through on-platform signals.