Jennifer Shore and Jill Steinman:

Results summary: We harvested old copies of Facebook’s privacy policies from the Internet Archive’s Wayback Machine from 2005 to 2015. We ranked each Facebook privacy policy based on its compliance with each of 33 relevant PPR Framework criteria, on a scale from 0 to 4 (with 0 indicating that the privacy policy did not meet a criterion at all, and 4 indicating that the criterion was fully met). We found a decline in 22 of the 33 standards we measured in Facebook’s stated privacy policy. Here are some examples. The measure of whether Facebook’s privacy policy fully describes use of Internet monitoring technologies, including but not limited to beacons, weblogs, and cookies, dropped from 4 to 0. The measure of whether the privacy policy fully describes under what circumstances data are externally disclosed started at 3, rose to 4 and then dropped to 0. The measure of whether the privacy policy describes a system that allows users to clearly identify data used for profiling and targeting started at 4 and dropped to 0. The measure of whether the privacy policy fully describes what ability the [user] has to change, segment, delete, or amend their information started at 4, bounced to 2 and back, and then dropped to 0. Drops in these measures suggest that privacy policies became less informative over time, even as word count soared.