Online Privacy Settings: Platform-by-Platform Guide
Platform privacy controls govern what data third parties, advertisers, and other users can access about an individual's account, behavior, and communications. Across major US-based platforms — including social networks, messaging services, search engines, and cloud storage providers — the architecture of these controls varies substantially in scope, default posture, and regulatory exposure. Federal frameworks including the Federal Trade Commission Act and the Children's Online Privacy Protection Act (COPPA), enforced by the Federal Trade Commission, shape the minimum disclosure and consent requirements that underlie these settings. This reference maps the structure of platform privacy controls, how they function technically, where they apply in practice, and how to interpret the boundaries between them.
Definition and scope
Online privacy settings are user-accessible configuration controls that regulate data collection, sharing, visibility, and retention within a digital platform. The scope of these controls extends across four primary dimensions:
- Visibility — who can see profile information, posts, location, and activity
- Data collection — what behavioral, device, and usage data the platform gathers
- Third-party sharing — whether data is passed to advertisers, partners, or data brokers
- Communications — who can send messages, tag accounts, or initiate contact
The FTC's Privacy and Security Enforcement framework holds that deceptive or unfair data practices violate Section 5 of the FTC Act (15 U.S.C. § 45). Separately, COPPA (16 C.F.R. Part 312) imposes specific consent and disclosure requirements for platforms collecting data from users under age 13, with civil penalties that can reach $51,744 per violation (FTC COPPA Rule).
Privacy settings fall into two structural categories: default-on (data sharing is active unless the user disables it) and default-off (data sharing requires affirmative opt-in). The distinction is consequential — most commercial platforms default to maximizing data collection, which the Electronic Frontier Foundation has documented as a systemic pattern across major social and advertising technology ecosystems. Platform-specific implementations differ significantly in how these defaults are disclosed and how granular the user's control options are.
How it works
Privacy settings operate through a combination of account-level configuration panels, API-layer permissions, and backend data processing policies. The user-facing toggle or dropdown is only the surface layer; what happens downstream — whether a setting actually restricts data broker syndication or only limits on-platform visibility — depends on the platform's internal data architecture.
The general mechanism across major platforms follows this structure:
- Account creation and default assignment — New accounts receive a default privacy profile, typically oriented toward broad visibility and data sharing.
- Settings panel access — Users navigate to a dedicated privacy or security section (location varies by platform).
- Control selection — Individual controls are toggled for audience visibility, location access, ad personalization, connected apps, and data download/deletion.
- Backend propagation — Changes are transmitted to the platform's data processing systems; propagation time varies and is not always instantaneous.
- Third-party API restriction — Some platforms require separate action to revoke permissions granted to third-party applications, independent of general privacy settings.
- Retention policies — Deleting or restricting data sharing does not always trigger immediate data deletion; retention schedules vary by platform and are governed by each company's privacy policy under FTC oversight.
The NIST Privacy Framework (Version 1.0) provides a structured vocabulary for evaluating these mechanisms, distinguishing between data processing transparency, individual participation, and data management as discrete control categories — a taxonomy that maps directly onto the platform setting types described above.
Common scenarios
Understanding how privacy settings apply across specific platform categories helps distinguish between controls with meaningful protective effect and those that are largely cosmetic.
Social networks (e.g., Facebook/Meta, Instagram, X/Twitter)
Profile visibility, post audience, and tagging controls are well-developed but do not restrict the platform's own data collection for advertising purposes. Meta's Data Policy confirms that behavioral data is collected regardless of audience visibility settings. Limiting ad personalization requires separate action in the "Ad Preferences" panel.
Search engines (e.g., Google, Bing)
Search history and personalization are controlled through account-level activity dashboards. Google's My Activity tool allows users to pause Web & App Activity and set auto-delete schedules of 3, 18, or 36 months. Disabling personalization does not prevent session-level data collection for security and abuse prevention.
Messaging platforms (e.g., Signal, WhatsApp, iMessage)
End-to-end encryption is the primary privacy mechanism for content. Signal, documented by the Electronic Frontier Foundation's Secure Messaging Scorecard, provides both content encryption and minimal metadata retention. WhatsApp encrypts message content but retains metadata including contact lists and usage frequency under its Privacy Policy.
Cloud storage (e.g., Google Drive, iCloud, Dropbox)
Sharing settings control document-level access. Privacy settings govern whether the provider can scan file content for advertising (Google Workspace personal accounts historically allowed this; enterprise accounts operate under stricter data processing agreements).
Decision boundaries
Navigating platform privacy settings requires distinguishing between controls that operate at different layers of the data lifecycle — a separation that determines what protection is actually achieved.
| Control Type | What It Limits | What It Does Not Limit |
|---|---|---|
| Audience/visibility | Who sees content on-platform | Platform's own data collection |
| Ad personalization off | Use of data for targeted ads | Collection of behavioral data |
| Location off | Active GPS sharing | Inferred location from IP address |
| Third-party app revocation | App's API data access | Data already transmitted to the app |
| Account deletion | Future data collection | Data retained under platform retention schedules |
The operative distinction for online safety listings and professional privacy assessments is between consent controls (managing what others can do with data) and collection controls (managing what the platform itself gathers). These are separate mechanisms requiring separate action.
For research contexts navigating the online safety directory purpose and scope, the regulatory distinction matters: COPPA governs collection from minors; the California Consumer Privacy Act (CCPA), enforced by the California Privacy Protection Agency, governs deletion and opt-out rights for California residents but has no direct federal equivalent. The FTC's proposed Commercial Surveillance and Data Security rulemaking represents the primary federal regulatory vector for expanding these rights nationally, though no final rule was in force as of the publication of this reference.
The how to use this online safety resource documentation provides additional context for interpreting how privacy controls intersect with professional service categories in this directory.
References
- Federal Trade Commission — Privacy and Security Enforcement
- FTC — Children's Online Privacy Protection Rule (COPPA), 16 C.F.R. Part 312
- NIST Privacy Framework, Version 1.0
- Electronic Frontier Foundation — Privacy Issues
- California Privacy Protection Agency — CCPA/CPRA
- FTC — Commercial Surveillance and Data Security Rulemaking
- NIST SP 800-53, Rev. 5 — Security and Privacy Controls