CTA: This is the Last Day to Object/Delete Your Meta Accounts

Tl;Dr: This whole post is a long-winded way of me saying that Meta shouldn’t be trusted, and that you should delete your Facebook/Instagram accounts immediately unless you’re cool with everything you’ve ever publicly shared on Instagram or Facebook dumped into Meta’s crappy Large Language Model (LLM) and probably later used by Meta to train its facial recognition glasses. Here’s a handy how to (with pictures!) from CNet that is much easier to follow than Meta’s own instructions.

If you don’t want to fully delete, you should at least opt-out of having your data used for training Meta’s AI. I wrote some guidance language here.

At one time in my life, I briefly trusted Facebook/Meta enough to work for them. It was shortly after the Cambridge Analytica scandal, and Mark Zuckerberg, eager to keep the company stock from tanking engender user trust, promised users and regulators, that things would change. Facebook was done with ‘Move Fast and Break Things’—and was serious about getting their privacy house in order. From now on, he promised, Facebook, Instagram, and WhatsApp would be committed to protecting users’ data and would embrace the GDPR as a global business standard. Zuck promised that the company would learn from their past mistakes.

And for a time, the company seemed to actually making genuine efforts at data protection & governance. The team I was on focused on how to implement the core principles and requirements of the GDPR at a technical level. I worked with the legal and engineering teams on what seemed at the time, small, but positive changes to the Facebook platform & the company’s omnivorous data collection practices. The people I worked with all seemed genuinely committed to the cause, these improvements were at least nominally encouraged by leadership.

But that commitment lasted about six months, and once the press around CA died down and people moved on to some new hell, the status quo returned. I soon realized that no amount of individual or group effort was going to change that beyond a few superficial changes. A transparency tweak here, a flag set there. As the old trope goes, a leopard never changes its spots, and Facebook is a ferocious leopard indeed.

I was employed by Facebook for nine months. A few months after I quit, the Data Protection Commission (DPC) in Ireland started to crack down on the company, and a trickle of fines have resulted, usually with headline-grabbing numbers, but little money actually filling Irish coffers. And now, it seems that in 2025, even the DPC has given up on holding Meta to account, as evidenced by their recent 21 May 2025 announcement greenlighting Meta’s planned harvesting of all public Facebook and Instagram posts for users that have not opted out.

Meta’s Missing LIA

Just as I abandoned hope in Meta after 2019, I’ve also largely given up believing that the current DPC will do much to protect data subject rights. In their press statement, the DPC attempts to weakly justify what is in essence, a capitulation to one of the worst offenders in the industry. The regulator effectively says that Meta can rely on the legitimate interests basis for training its large language model on users personal data, including sensitive personal data with almost no limits.

I am a little salty, however, that the DPC did not require Meta to share its Legitimate Interests Assessment publicly. This represents a missed opportunity for much-needed clarity and transparency. But, because I love all my readers, I decided with the aid of my years of expert knowledge and nine months of direct, hands-on experience in the belly of the beast to recreate their analysis here. For those not aware, in order to rely on ‘legitimate interests’ as a lawful basis of processing, the controller must undertake a balancing test. This requires the controller to satisfy three cumulative conditions:

• First, the controller must identify which legitimate interest or interests are being pursued, either by the controller directly, or on behalf of a third party;

• Second, the controller needs to explain how its necessary for them to process personal data for that purpose or purposes; and

• Third, the interests or fundamental freedoms and rights of affected data subjects must be considered and weighed against the interests of the controller (the balancing test).

I suspect Meta’s cumulative answers to these questions fit comfortably on a single A4 sheet, and went something like this:

1. We have a legitimate interest in training our LLM because capitalism and we want to.

2. We believe that processing all user data going back forever is necessary because, uh, we can? And freedom? And also because the EU laws are all big mean unlawful tariffs that violate our god-given rights to make money. ‘MURICA!
   
   Besides, users have a choice. They can object, even though we designed our opt-out process to be intentionally difficult and require the user to supply us with prompts on what to remove. They can also delete their accounts, even though we make that process painful as well. And fine, because the DPC kinda yelled at us a little, we’ll make it so that we only process public user posts. So it’s really on them to dig through the bowels of our purposefully complex account settings and make their posts private on Instagram and Facebook. Though if you’re not on Facebook/IG or your friends shared information about you on their own posts and left them public, well, sucks to be you!

3. We decided that our users have no fundamental rights and freedoms because what’s a fundamental right again? We don’t have those in America, so they must not exist.
   
   Also, if users don’t want their data to be used to train our LLM and facial recognition glasses, that’s on them because they chose to have a Facebook/Instagram account in the first place.
   
   I mean, sure, grandma set up her account way back in 2012 to keep tabs on the grandkids and post conspiracy theories about foreigners, but that doesn’t mean that she shouldn’t have anticipated that eventually we’d use her data to train our mediocre LLM. Even though ‘large language model’ wasn’t even a thing in 2012.

But hey, I could be wrong! And if I am, great! All Meta needs to do to shut this loudmouth down is to share their goddamn LIA.

Both the DPC and Meta also failed to offer answers to the following related questions that are similarly important:

• The application of Article 21 (the right to object) after 27 May 2025, even though that right doesn’t simply go away merely because a controller sets an arbitrary date.

• The technical measures Meta is taking to actually de-identify/anonymize/filter specific user data, sensitive data and the like, and how this will be tested. How, for example, will engineers know that someone has opted out without at least some identifying information in the training data?

• How generative model training of images is handled.

• How they’ll honor other data subject rights in relation to, for example, the use of said AI for targeting/profiling (because you can damn well bet that’s coming), and whether subsequent deleted accounts will be removed from future training data.

• How they plan to treat data shared by adults of children (thinking of IG posts and grandma’s FB images of little Suzie’s birthday party).

• How this awfulness will be used by Meta to train its facial recognition glasses, which may use the same model.

In a related blow to user rights, a court in Koln, Germany, citing the DPC’s letter, rejected consumer rights’ group Verbraucherzentrale NRW’s request for injunctive relief. Perhaps another regulator, like the Hamburg DPA, will step up and do what’s right, but by then, the damage will be done.

So, this whole post is a long-winded way of me saying that Meta shouldn’t be trusted, and that you should delete your Facebook/Instagram accounts immediately.

Here’s a handy how to (with pictures!) from CNet that is much easier to follow than Meta’s own instructions. If you don’t want to fully delete, you should at least opt-out of having your data used for training Meta’s AI. I wrote some guidance language here.