The Kaspersky blog post summarizes a comprehensive 2025 study by Incogni evaluating the privacy practices of 15 leading social media platforms, including TikTok, Facebook, Instagram, YouTube, Twitch, Reddit, Pinterest, Quora, LinkedIn, and X (formerly Twitter). The study assessed platforms on multiple criteria: data collection volume, resale and sharing of personal data, privacy settings availability and defaults, fines for privacy violations (including GDPR and CCPA), and use of user content for AI training. Pinterest and Quora emerged as leaders with minimal data collection and strong privacy defaults, while Facebook and TikTok ranked lowest due to extensive data harvesting and numerous regulatory fines. The study highlights that all platforms collect sensitive personal data, including geolocation, device identifiers, and user activity across apps and websites. Many platforms use this data for targeted advertising and AI model training, often without clear or comprehensive opt-out mechanisms. Facebook and YouTube notably train both in-house and third-party AI models on user content. Privacy settings vary widely, with some platforms offering robust controls and others providing minimal options and poor default privacy. The report underscores that no platform achieves ideal privacy, and users must proactively manage settings to reduce exposure. While no direct technical vulnerability or exploit is identified, the pervasive data collection and sharing practices represent a significant privacy threat, especially under stringent European data protection regulations. The study serves as a cautionary overview of social media privacy risks in 2025, emphasizing the need for user awareness and organizational vigilance.

For European organizations, this privacy landscape presents multiple risks. Extensive data collection and sharing by popular social media platforms can lead to inadvertent exposure of sensitive personal or corporate information, increasing the risk of data breaches or misuse. Non-compliance with GDPR and other European privacy laws due to reliance on platforms with poor privacy practices can result in substantial fines and legal consequences. Organizations using these platforms for marketing or customer engagement may face reputational damage if user data is mishandled or if privacy violations become public. The use of user-generated content for AI training without explicit consent could raise ethical and legal concerns, particularly in sectors handling sensitive data. Furthermore, employees’ personal social media use can indirectly affect organizational security posture if privacy settings are lax, potentially exposing internal information or enabling social engineering attacks. The broad scope of data collected, including geolocation and device identifiers, increases the attack surface for threat actors targeting European entities. Overall, the threat impacts confidentiality and privacy integrity, with medium severity due to the indirect nature of the risk and absence of direct exploitation vectors.

European organizations should implement several targeted measures beyond generic advice: 1) Conduct thorough audits of social media platforms used for business purposes, assessing their privacy policies and data handling practices against GDPR requirements. 2) Prefer platforms with stronger privacy rankings (e.g., Pinterest, Quora, Twitch) for corporate social media activities and minimize use of platforms with poor privacy records for sensitive communications. 3) Enforce strict internal policies requiring employees to configure maximum privacy settings on personal and professional social media accounts to limit data exposure. 4) Regularly monitor regulatory developments and fines related to social media privacy to anticipate compliance risks. 5) Use privacy-enhancing tools such as browser extensions or VPNs to limit tracking and data leakage when accessing social media. 6) Educate staff on the implications of AI training on user content and encourage cautious sharing of proprietary or sensitive information on social platforms. 7) Leverage privacy checkers and automated tools to verify and optimize privacy settings across platforms. 8) Establish incident response plans that include social media-related data exposure scenarios. 9) Engage with legal and compliance teams to review contracts and data processing agreements with social media providers. 10) Consider alternative communication channels with stronger privacy guarantees for sensitive organizational interactions.