Hong Kong: PCPD publishes report comparing privacy settings of social media platforms
The Privacy Commissioner for Personal Data ('PCPD') published, on 12 April 2022, a report on the comparison of privacy settings of social media. In particular, the PCPD highlighted that this report follows an increase in public awareness with regards to personal data privacy risks related to the use of social media. More specifically, the PCPD stated that the report followed a review of the top ten most commonly used social media platforms in Hong Kong.
Furthermore, the PCPD confirmed that the review results highlight the performance of the ten social media platforms in terms of their privacy functions, privacy policies, and the usability of privacy dashboards. As such, the PCPD noted that some of the key findings of the report include the following:
- the social media platforms reviewed collect a wide variety of personal data, ranging from 12 to 19 types of personal data;
- the reviewed social media platforms collect users' location data (including both the precise and coarse locations); and
- in terms of the default privacy settings, the age and telephone number of a user are not disclosed by certain platforms, while the other social media platforms reviewed disclose users' personal data such as age, location, email address, or telephone number by default.
Moreover, the report highlights the following advice to the reviewed social media platforms:
- operators of these platforms should continuously adopt the 'Privacy by Design' principles to enhance their services and provide more privacy-related functions to users so as to increase the choices available to users;
- the platforms should be cautious of the types of personal data collected and avoid collecting more data than is necessary for its services;
- privacy policies for social media should be clear and easy to understand and should not be vague and general; the PCPD added that the use of layered presentations, infographics, tables, or short videos would help to improve the readability of privacy policies;
- social media should not track locations of its users by default, and should provide choices to its users according to their needs;
- social media should provide end-to-end encryption and two-factor authentication, in order to strengthen the protection of users' personal data; and
- operators of social media should also proactively tackle 'doxxing', 'data scraping', or other illegal acts and limit the ways for searching users.
Finally, the report gives the following advice to users of the reviewed social media platforms:
- check the default settings on security or privacy of the social media, as well as the ways through which individual users may be searched on the media, with a view to minimising the disclosure of personal data and opting for the most privacy-protecting settings;
- consider turning off the location tracking function to avoid the collection of location data by the social media;
- pay attention to the privacy options of contents posted and select the appropriate settings, before posting the content;
- before choosing any instant messaging application, pay attention to whether it provides end-to-end encryption in order to strengthen the confidentiality of transmitted data;
- use strong passwords and enable two-factor authentication for social media to strengthen account security;
- minimise the risk of credit card data leakage by avoiding transactions on social media platforms over public Wi-Fi or unsecured Wi-Fi connections; and
- parents/guardians should consider enabling parental controls in order to monitor their child/childrens' use of social media, reminding them of the consequences of excessive disclosure or sharing of personal data.