A Lawyer Reads…the Facebook Terms of Service and Data Policy (Part 2)

In the modern, digital world, each of us is asked to read and accept hundreds of pages of terms and conditions governing the way we use our products and services.  While no one could be expected to read every term (especially for entertainment or other “low risk” services), as a specialist in reading and drafting such documents, a lawyer can offer insight into just how they operate (and what rights the average user gives away when they sign on the dotted line). 

In “A Lawyer Reads…”, we’ll take a deeper dive into a few of those little-read contracts, terms, and conditions in an effort to provide just a bit of that insight. 

For more information, check out www.hoeglaw.com or drop Rick a line at rhoeg@hoeglaw.com.


Today we continue our reading of the Facebook Data Policy with some of the most important questions facing the company and its users:  “How does Facebook use your information?” and “How is your information shared?”.

Check out Part 1 HERE.

Facebook digital

How do we use your information?

We are passionate about creating engaging and customized experiences for people. We use all of the information we have to help us provide and support our Services.

Information technology and other “new media” companies are famous for adding statements like this one to their legal documents.  Users should note, however, that as much as one might agree with the sentiment, a statement such as this is not legally “operative”.

I used that term a bit in Part 1, but to add clarity here, what I mean by that is that the statement does not bind or obligate the company making it to any particular course of action, legally.  In other words, despite the inclusion of these sentences, one could not sue Facebook for not “being passionate” or based on the premise that some of their rules do not “help” them “provide and support” their many services.

Something to consider as we read through the actual “rules”.

Provide, improve and develop Services.

We are able to deliver our Services, personalize content, and make suggestions for you by using this information to understand how you use and interact with our Services and the people or things you’re connected to and interested in on and off our Services.

So, they are permitted to use the information they collect (which can be robust; see Part 1) to analyze not just how you use Facebook, but also how you “interact” with people (or things) “on or off” of Facebook.  That’s a big one.  Facebook can try to use the data you’ve given it to figure out how you feel (and would interact with) things that are not at all Facebook related.  So, here is another sign that Facebook is a data analytics company first and foremost.

We also use information we have to provide shortcuts and suggestions to you. For example, we are able to suggest that your friend tag you in a picture by comparing your friend’s pictures to information we’ve put together from your profile pictures and the other photos in which you’ve been tagged. If this feature is enabled for you, you can control whether we suggest that another user tag you in a photo using the “Timeline and Tagging” settings.

This, while possibly intrusive, is right in the wheelhouse of what users think they are getting by giving Facebook access to all that data: a better more robust service that performs better since it can “see” what data a user is interested in.

When we have location information, we use it to tailor our Services for you and others, like helping you to check-in and find local events or offers in your area or tell your friends that you are nearby.

Again, a (possibly intrusive) use case for GPS location (or simply telling Facebook where you are), that a user might otherwise expect.  Nothing too untoward here.

We conduct surveys and research, test features in development, and analyze the information we have to evaluate and improve products and services, develop new products or features, and conduct audits and troubleshooting activities.

The link here goes to “Facebook Research”, which like all good research institutions puts forward as its public face the picture of a dozen smiling kids.  But in all seriousness, the use cases described here are, again, what a user would expect:  additions to Facebook features and improvements/development of services.  The research itself goes in some pretty interesting directions (Economics and Computation, anyone?), but Facebook does not appear to give itself the authority to sell a user’s data under the ambit of “research”.

Communicate with you.

We use your information to send you marketing communications, communicate with you about our Services and let you know about our policies and terms. We also use your information to respond to you when you contact us.

All fine here.  You give Facebook an e-mail address, they can send you marketing and other communications.  Okay.

Show and measure ads and services.

We use the information we have to improve our advertising and measurement systems so we can show you relevant ads on and off our Services and measure the effectiveness and reach of ads and services. Learn more about advertising on our Services and how you can control how information about you is used to personalize the ads you see.

So, here we have a bit of a language trick (and one that will prove prevalent throughout the rest of the terms).  While it is true that Facebook is using the information it has gathered to show you “relevant” ads, as we know, the real value of the data is in Facebook being able to sell that “relevancy” to prospective advertisers.  So, yes, Facebook wants to make sure ads are relevant and effective to you, but not out of any sense of graciousness or obligation.  Because it’s where their value lives.

(The links here go to, respectively, (i) the Data Policy section we read last week, (ii) a PowerPoint type website explaining how advertisers use ads on Facebook, and (iii) a settings screen that allows users to turn off  (A) “online interest-based ads”,  (B) ads on something called the Facebook Audience Network (which appears to apply Facebook ads to other “Facebook-enabled” devices), and (C) who can see “social actions” (likes) a user takes with advertising.  These settings give some insight as to just how much data Facebook collects and how it uses it.  All such settings are turned “on” by default.)

Promote safety and security.

We use the information we have to help verify accounts and activity, and to promote safety and security on and off of our Services, such as by investigating suspicious activity or violations of our terms or policies. We work hard to protect your account using teams of engineers, automated systems, and advanced technology such as encryption and machine learning. We also offer easy-to-use security tools that add an extra layer of security to your account. For more information about promoting safety on Facebook, visit the Facebook Security Help Center.

All fine here.  They use your data to help keep their systems secure, which is to be expected.  The link here goes to a FAQ-style website which tells users things like “Never share your password.”  Not exactly ground-breaking, but not harmful either.

We use cookies and similar technologies to provide and support our Services and each of the uses outlined and described in this section of our policy. Read our Cookie Policy to learn more.

Adding to legislator’s complaints from last week, the Facebook “Cookie Policy” is a document at least as long as the Data Policy, which makes it difficult to effectively summarize here.  Of particular note:

  • We use cookies to help us show ads and to make recommendations…
  • We also use cookies to help measure the performance of ad campaigns…
  • Cookies also allow us to provide insights about the people who use the Facebook Products…

So, basically in line with the rest of the Data Policy, but still something to consider as (like all the rest of the terms we are reading) the Cookie Policy may be amended and revised to change users’ rights and Facebook’s obligations at almost any time.

(Per Facebook’s own definition, for those unaware: Cookies are small pieces of text used to store and receive identifiers and other information on computers, phones, and other devices.)

Facebook Share

How is your information shared?

People you share and communicate with.

When you share and communicate using our Services, you choose the audience who can see what you share. For example, when you post on Facebook, you select the audience for the post, such as a customized group of individuals, all of your Friends, or members of a Group. Likewise, when you use Messenger, you also choose the people you send photos to or message.

So far so good.  Users get to select who their communications are shared with through the Facebook exactly as they would expect.

Public information is any information you share with a public audience, as well as information in your Public Profile, or content you share on a Facebook Page or another public forum. Public information is available to anyone on or off our Services and can be seen or accessed through online search engines, APIs, and offline media, such as on TV.

Both links here go to the same place, a Facebook Help Center post on “What is Public Information?”.  On that page, it is established that your age (range), language and country is always public, and that Facebook can use a part of your profile to “help connect with friends and family”.  This “Public Profile” includes information on name, gender, and account information.  “Use” is not otherwise defined, but seems intended by the company to facilitate network linkages through use of the “Public Profile”.

That said, the lack of definition here (as well as the fact that what is included in the “Public Profile” is relegated to a non-legal Help Center document) creates unneeded ambiguity.

In some cases, people you share and communicate with may download or re-share this content with others on and off our Services. When you comment on another person’s post or like their content on Facebook, that person decides the audience who can see your comment or like. If their audience is public, your comment will also be public.

So, if you share information with a gossip who elects to re-share it with the world, “it’s not Facebook’s fault.”  This is important language for the company from a legal perspective, but it means that *any* information could become public without the user’s express consent.  In effect, under this provision, a user “sharing” anything on Facebook’s services (even privately) will be deemed to have given *implied* consent to the public sharing of that information.

Or as stated in the “What is Public Information?” Help Center Page: “If other people share info about you, even if it’s something you shared with them but did not make public, they can choose to make it public.”

That may be common sense in the real world (“don’t share your secrets with gossips”), but it is certainly something of which users of Facebook should be aware.

People that see content others share about you.

Other people may use our Services to share content about you with the audience they choose. For example, people may share a photo of you, mention or tag you at a location in a post, or share information about you that you shared with them. If you have concerns with someone’s post, social reporting is a way for people to quickly and easily ask for help from someone they trust. Learn More.

So, a friend (or enemy) can post something about you or otherwise share something about you (such as your location) without your consent.  That is somewhat alarming, but again to be expected understanding how Facebook works.

The link goes to a March 10, 2011 Facebook Post made by “Facebook Safety” which describes the manner in which a user can complain about a post made with their information or likeness.  The user may ask for help in respect of the problem posting from a “trusted friend”, though the criteria for that status is not established.

Overall, the lawyer in me reads the previous two sections of this Data Policy primarily as Facebook’s attempt to inoculate themselves from liability for things the users do to each other.  This is perfectly reasonable from a corporate perspective, but it does little to protect any given user from the malicious acts of another.

Apps, websites and third-party integrations on or using our Services.

When you use third-party apps, websites or other services that use, or are integrated with, our Services, they may receive information about what you post or share. For example, when you play a game with your Facebook friends or use the Facebook Comment or Share button on a website, the game developer or website may get information about your activities in the game or receive a comment or link that you share from their website on Facebook. In addition, when you download or use such third-party services, they can access your Public Profile, which includes your username or user ID, your age range and country/language, your list of friends, as well as any information that you share with them. Information collected by these apps, websites or integrated services is subject to their own terms and policies.

Learn more about how you can control the information about you that you or others share with these apps and websites.

Reasonably self-explanatory here, but with the caveat that all uses of information  by a third party will be subject to *their* privacy policies, not Facebook’s (after transmission).  So particularly bad actors in the “Facebook game” space, for instance, could use the collected data in ways that the user does not want or expect.  As ever, it is important for users to understand the purported uses of their data before connecting third parties with their social media accounts.

(The links here go to the help center page about public information, a help center page about User IDs, and  a settings page for App access.)

Sharing within Facebook companies.

We share information we have about you within the family of companies that are part of Facebook. Learn more about our companies.

This is the same company list as was discussed in Part 1.  Facebook reserves the right to move user data around its various services and analytics companies.

New owner.

If the ownership or control of all or part of our Services or their assets changes, we may transfer your information to the new owner.

User information may be transferred as part of any sale of the entire Facebook enterprise.  This makes sense, but as mentioned before, users should note that because the service terms exist as online documents, they may be amended by Facebook (or a new owner) at practically any time.

In other words, reading this revision of the terms of service (as we are doing in this exercise) is only so useful in the event Facebook finds itself under “new management”.

Sharing With Third-Party Partners and Customers

We work with third party companies who help us provide and improve our Services or who use advertising or related products, which makes it possible to operate our companies and provide free services to people around the world.

Note the inclusion of parties “who use advertising or related products”, and also the subtle tie to advertising as permitting the company to “provide free services”.  (The word free is always an interesting one in the law.  It means without the payment of money here, but as most well know, “there’s no such thing as a free Facebook.”)

Here are the types of third parties we can share information with about you:

Again, “types of third parties” is an interesting bit of language usage.  It implies a broad group (“types”) without delineation.  In other words, it is very similar to seeing the term “including” in a contract.  It implies a limit to a list without actually fully committing to one.

Advertising, Measurement and Analytics Services (Non-Personally Identifiable Information Only).

We want our advertising to be as relevant and interesting as the other information you find on our Services. With this in mind, we use all of the information we have about you to show you relevant ads.

This is not strictly true, of course, at least not to the extent it implies advertising as the sole use for the collected information: Facebook also reserves the right to use information to “improve” products, conduct research, and verify security in the very policy we are reading.  That said, it is close enough for our purposes and provides valuable insight as to what is important to Facebook.

Facebook provides a “free” service through which it can collect data and then uses that data to “target” advertisements.

That’s its entire value proposition.

Mark Zuckerberg told Congress last week that Facebook does not “sell” users’ data, and that appears to be accurate (I would not have expected his counsel to allow him to lie), but what the company actually does with user data is bound to have roughly the same effect for the average user.

If a third party wants to sell to a woman roughly 30 years old, who regularly talks to her grandmother, lives in Seattle, and loves Hibachi cooking.  Then chances are, they’re getting the ad.  The fact that Facebook didn’t need to sell the user’s name to the third party (and effectively just did the “dirty work” itself), does little to change the net effect for the targeted user.

Now, nothing is “free” after all (and this isn’t *that* unexpected for folks who follow the company) but users should be aware of what is happening (and to quit Facebook if they don’t like it).

We do not share information that personally identifies you (personally identifiable information is information like name or email address that can by itself be used to contact you or identifies who you are) with advertising, measurement or analytics partners unless you give us permission. We may provide these partners with information about the reach and effectiveness of their advertising without providing information that personally identifies you, or if we have aggregated the information so that it does not personally identify you. For example, we may tell an advertiser how its ads performed, or how many people viewed their ads or installed an app after seeing an ad, or provide non-personally identifying demographic information (such as 25 year old female, in Madrid, who likes software engineering) to these partners to help them understand their audience or customers, but only after the advertiser has agreed to abide by our advertiser guidelines.

So, your data is anonymized.  The advertiser knows they want to reach that 30 year old in Seattle who loves her grandmother, they just don’t know that that person is you.  This is about as reasonable a statement of protection as one could expect given that Facebook *needs* its users’ data to even survive as a viable commercial platform.  Without that data, Facebook would have nothing to “sell”.

(The link here goes to a separate “advertising policies” subsection of the Facebook browser application.  Generally speaking, it is a list of rules for advertisers to follow in creating ads for the Facebook platform (“Ads must not promote illegal products”; “Ads must not contain bad grammar or punctuation”; “You must not use targeting options to discriminate against users”; etc.).  Such rules do not directly impact user’s data (or their interactions with the platform), but they are interesting to review.)

Not sure if the “bad grammar” rule has ever been enforced, however.

Vendors, service providers and other partners.

We transfer information to vendors, service providers, and other partners who globally support our business, such as providing technical infrastructure services, analyzing how our Services are used, measuring the effectiveness of ads and services, providing customer service, facilitating payments, or conducting academic research and surveys. These partners must adhere to strict confidentiality obligations in a way that is consistent with this Data Policy and the agreements we enter into with them.

Generally speaking, this is fine and to be expected.  Facebook uses outside parties to perform certain infrastructure services and that necessarily means that some of those parties may gain access to user data.  Facebook agrees to make sure any such party is bound by the same rules and restrictions that Facebook is in respect of such data.

Not much to complain about here, except to note that “consistent with this Data Policy” does not actually describe the restrictions that would apply to such service providers.  Given that they are not actually Facebook (and thus don’t need rights such as “advertisement targeting” that are otherwise afforded to Facebook itself), it might have been nice to see a more blanket confidentiality requirement.


So, next time, we’ll finish up the Data Policy before turning our attention back to the Terms of Service Agreement itself.  Just a few thousand more words of analysis and we’ll be done.  Now, who said these documents were complicated?

Until then, check out www.hoeglaw.com or drop Rick a line at rhoeg@hoeglaw.com.

For More: PART 1PART 3

2 thoughts on “A Lawyer Reads…the Facebook Terms of Service and Data Policy (Part 2)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s