Part 2 of our series on online privacy. Part 1 — What is a digital footprint? — is at news.atozofcyber.co.uk
Most people have an intuitive sense that social media platforms collect data. Fewer have a clear picture of how much, how it is used, and how recently regulators have concluded that some of the biggest platforms in the world were not doing enough to protect that data — particularly when it belongs to children.
This article looks at what is actually happening behind the scenes of the apps most of us use every day, and what meaningful control looks like.
What platforms actually collect
The list is longer than most people expect, and not all of it is obvious.
What you explicitly share: posts, photos, videos, comments, your bio, your relationship status, your workplace, your location tags.
What you implicitly reveal: the accounts you follow, the posts you linger on, what you like and share, who you message and how often, the times of day you are most active. None of this requires you to type anything personal. The pattern of your behaviour is itself a rich source of information.
What the platform infers: using the data above, platforms build a profile that predicts your interests, your political leanings, your purchasing intent, and in some cases sensitive characteristics you have never disclosed. This is how you can search for something once and then see related adverts for weeks. The platform has not read your mind — it has inferred a likely interest from a pattern of behaviour.
What other people reveal about you: photos you are tagged in, posts that mention you, contact details uploaded by a friend's phone when they sync their address book. A meaningful part of your digital footprint is created by other people, often without either of you thinking about it.
A useful, sobering recent example
In February 2026, the ICO fined Reddit £14.47 million for failing to protect children's personal data, following an investigation that found Reddit had not implemented effective age verification until July 2025 — and even then relied only on users self-declaring their age, which is trivially easy to falsify. Weeks earlier, the ICO fined MediaLab, the company behind Imgur, £247,590 for similar failings, finding that children using the platform had been exposed to harmful content as a result.
These are not minor administrative penalties. They represent a regulator concluding that two major platforms — both widely used in the UK, including by children — were processing personal data unlawfully and exposing vulnerable users to real harm as a result. The ICO has since written formally to social media and video-sharing platforms calling for stronger, technology-based age checks rather than simple self-declaration.
The lesson here is not that social media is uniquely dangerous. It is that the protections you might assume are in place — "surely the platform checks this" — are not always there, even on platforms used by hundreds of millions of people. Personal vigilance about your own settings remains a meaningful layer of protection that does not depend on regulators catching up.
The default settings problem
Most people never change the default privacy settings on a new account. Platforms know this, and the defaults are not always set with your privacy as the priority. The ICO's own Children's Code, while specifically aimed at protecting children, makes an observation that applies more broadly: services should assume that users will not change default settings, which means defaults should be set conservatively in the first place. Not every platform does this.
This means that an account created without any adjustment may, by default, allow your posts to be visible to anyone, your location to be shared, your contact list to be searchable, and your activity to be used for targeted advertising — all without you ever having made an active choice to allow it.
A practical audit, platform by platform
This is worth doing once, properly, rather than repeatedly putting off. Set aside fifteen minutes per platform you use regularly.
Check who can see your posts. Most platforms allow you to set your account to private or to restrict visibility to followers or friends only. Check this setting specifically — many people assume it is already set the way they want, and it often is not.
Check your tagged photos and posts. Look at what others have tagged you in. Most platforms allow you to require approval before a tag involving you becomes visible, or to remove tags after the fact.
Check location settings. Many platforms attach location data to posts by default, and some apps continue to track location in the background even when the app is closed. Review location permissions specifically — not just within the app, but in your phone's overall settings.
Check what is visible when logged out. This is the step most people skip. Open your profile in a private or incognito browser window, logged out of your account, and see exactly what a complete stranger can see. This is often more revealing than checking your settings while logged in, where the platform shows you a friendlier version of your own visibility.
Check advertising and data-sharing permissions. Most platforms have a settings section — often labelled "Ads," "Data," or "Privacy and Personalisation" — that lets you limit how your activity is used for targeted advertising and whether your data is shared with third parties. This rarely removes advertising altogether, but it reduces how personal and detailed the targeting becomes.
Review connected apps. Many people have, over the years, connected dozens of third-party apps and games to their social media accounts using "Log in with Facebook" or similar. Each of these apps may retain access to your profile data indefinitely, even if you stopped using the app years ago. Most platforms have a section listing connected apps — go through it and remove anything you no longer use.
A note for parents
The findings against Reddit and Imgur are a useful prompt to revisit the conversations covered in our earlier Your Digital Family series. The ICO's Children's Code requires that children's accounts default to private, with geolocation switched off by default — but as the Reddit case shows, not every platform implements this in practice. It remains worth checking these settings directly on any account your child uses, rather than assuming the platform has done it for you.
What does this mean for me?
Set aside time this week to audit your main social media accounts. Privacy, tagging, location, advertising permissions, and connected apps — all five, on each platform you use regularly.
Check what is visible when logged out. This single step reveals more than any settings menu, because it shows you what is actually public rather than what you assume is private.
Remove connected apps you no longer use. These represent ongoing access to your data for no current benefit to you.
Do not assume the platform has protected you by default. The ICO's enforcement actions against major platforms in 2026 demonstrate that even basic protections are not always in place without regulatory pressure. Your own settings remain the most reliable layer of control you have.
🧠 The Human Factor
| Technology involved | Social media platforms' data collection systems — explicit content, behavioural tracking, inferred interest profiles, and data shared by connected third-party apps |
| Root cause | Default settings are not always configured with user privacy as the priority, and major platforms have been found by regulators to fall short of basic protective standards even at scale |
| What was at risk | Personal visibility to strangers, exposure of children to harmful content (as found in the ICO's Reddit and Imgur rulings), and ongoing data access by long-forgotten connected apps |
| Prevention | A regular audit of privacy, tagging, location, advertising, and connected app settings — checked from a logged-out view to see what is genuinely public |
Next in the series: Data brokers — the companies you've never heard of that know everything about you.
References and sources
- ICO: Reddit fine of £14.47 million (24 February 2026) — ico.org.uk
- ICO: MediaLab/Imgur fine of £247,590 (5 February 2026) — ico.org.uk
- ICO: open letter to social media and video-sharing platforms on age assurance (12 March 2026) — ico.org.uk
- ICO Children's Code (Age-Appropriate Design Code) — ico.org.uk
- NCSC: Social media: how to use it safely — ncsc.gov.uk