Meta logo shown on device screen showing Threads privacy concerns

Newly-Launched Threads Already Raising Privacy Concerns With Sensitive Data Collection, Instagram Sharing

Meta’s would-be Twitter-killer Threads could not have been handed a bigger gift by its rival for its launch week, save perhaps for the infamous blue bird app declaring insolvency and plans to shutter. The sudden decision by Twitter to lock out much of its web browser traffic and severely rate limit users came just a few days ahead of the Threads public launch, driving tens of millions of signups. But privacy concerns may be getting lost in the stampede to find a “better Twitter,” as researchers warn that Meta’s new app collects much more sensitive personal information than comparable platforms.

The seeming permanent tying together of Threads and Instagram accounts, to the point that one cannot remove the former from their device without also putting an end to the latter, could also cause regulatory trouble for Meta. While the new platform has committed to not running ads until it develops a “clear path” to a billion users, something expected to take at least several months, brands are already signing up and the data points for future ad campaigns are already being collected.

Threads privacy concerns: Web activity, health data, precise location all fair game

Privacy advocates and security researchers have noted that Threads already collects more personal data than many other social media apps; a wide variety of it could be considered invasive, and is also not at all necessary for the app’s function. Privacy concerns have been raised due to the app’s ability to log browsing history, search history, physical geolocation, employment, union membership, health status, race and ethnicity, sexual orientation and more under the app’s current expansive data collection terms.

Almost none of this data is necessary for app function, even for voluntary features. It is all data points for future advertising, and brands such as Amazon, Pepsi and the National Football League are already on board and anticipating future targeted campaigns.

Meta also faces potential issues due to the way that Threads forces integration with Instagram. Entirely new users will have an Instagram account created for them when they sign up for Threads, while those with existing Instagram accounts must link the two inextricably. That includes also deleting one’s Instagram if one decides they no longer want to have a Threads account. Threads profiles can be deactivated without impacting Instagram accounts, but not deleted entirely. A Meta spokesperson said that the Threads team is “looking into” a way to separately remove the app, but there is no timeframe (or promises) at present.

Instagram already has a checkered history in terms of sharing user data with Facebook (and its web-spanning advertising network), something that has been at the center of privacy concerns for over a decade now. When Facebook acquired Instagram in 2012, the company initially made assurances that existing users would not have data shared with Mark Zuckerberg’s social media empire. Facebook wasted little time in reneging on this offer, beginning compulsory data sharing between the two apps in 2012. The scope of this gradually expanded over the years, culminating in the formal back-end merger of Facebook Messenger and Instagram in 2020.

The privacy concerns about Threads are thus based in recent company history, and it appears users will not have much of an option in keeping their personal data from use of the app out of the Facebook advertising monolith. Nor will they be able to effectively separate family and friends on the two different apps, at least not without creating a “burner” Instagram account.

Meta’s EU woes, insistence on protected data delay EU rollout

While the Threads party has already started in some 100 countries, the app’s debut is on indefinite hold in the EU due to privacy concerns. Meta is currently weathering legal difficulty on multiple fronts in the region, all of which could continue to hold up the rollout.

The first of these is a May ruling by the Irish DPC that Meta has been in violation of the General Data Protection Regulation (GDPR) in its data transfers to US servers, an assessment that was accompanied by a record fine of €1.2 billion. This followed from the 2021 EU high court ruling that data transfers between the two regions were no longer valid without an array of added security that prevents the possibility of interception by the US government or sharing with third parties. Meta is appealing the decision, which could ultimately see it either forced to vacate the EU or expand operations there for data localization beyond its three existing data centers (though much could also depend on a forthcoming data transfer framework agreement and the very likely court challenge it will face).

The EU has other landmines waiting for Threads. The most immediate reason for the pause to the regional rollout is likely the scope of sensitive information it insists on collecting, which falls into a special protected category under the GDPR terms. Meta previously claimed a “legitimate interest” exception to these rules to collect such data without notifying the user, which was recently struck down in court. The app would either have to pare back the data it collects in the EU to assuage privacy concerns, or give up on Europe.

And the EU is not the only place where privacy concerns are bringing regulatory scrutiny. Threads is not safe in the US, where Meta is still under a consent decree first issued by the FTC in 2012 that forbids “unfair or deceptive” practices as regards handling user personal information. It is possible that the forced linking of Instagram and Threads accounts could violate this decree if the FTC determines that users of either service have lost adequate control of the privacy of their data or have to go through onerous extra steps to ensure it is secured.