26 items

Social Media Privacy Cleanup

Most social media privacy problems aren't from one bad setting — they're from years of defaults, forgotten app connections, and platform updates that quietly undid your choices. This audit works through every layer: visibility, location, connected apps, data sharing, old content, and the settings that reset without warning. For more background and examples, see the guidance below; for built-in tools and options, use the quick tools guide.

Author

Checklistify Editorial Team

Last Updated

Checklist Items

0 done•26 left•6 of 7 sections collapsed

Request a data archive from each platform before making any changes.

Facebook: Settings > Your Facebook information > Download your information. Instagram: Settings > Account > Download data. X/Twitter: Settings > Your account > Download an archive of your data. LinkedIn: Settings > Data Privacy > Get a copy of your data. Archives take 24–72 hours to generate. Reviewing yours first reveals what actually exists — post history, messages, location logs, connected apps, facial recognition data — before you begin deleting or adjusting anything. Many people find content and connections they'd forgotten entirely.

In your Facebook archive, open the 'Off-Facebook Activity' file and review its contents.

This file is the most revealing part of the archive and the least known. It lists every website and app that has sent your behavioral data to Facebook — including sites with no visible Facebook button, sites you visited while logged out, and apps that ran in the background. This is entirely separate from the apps you've explicitly connected to your account. Reviewing it gives you a concrete picture of how extensively your behavior outside Facebook has been tracked and attributed to your profile before you start changing settings.

Set your default post audience to Friends or Followers Only on every platform — not Public.

Facebook: Settings > Privacy > Your activity > Who can see your future posts. Instagram: Settings > Account > Account Privacy — enable the Private Account toggle. X/Twitter: Settings > Privacy and safety > Audience and tagging > Protect your posts. Platforms frequently reset these settings after major app updates or when you use a new post type for the first time (Reels, Stories, new formats). Setting this once is not sufficient — check it after any significant platform update or whenever you notice the interface has changed.

Find and restrict who can look you up using your email address and phone number.

Facebook: Settings > Privacy > How people find and contact you. Set 'Who can look you up using your email address' and 'Who can look you up using your phone number' both to 'Friends' or 'Only me.' These fields are directly used by people-search aggregators and data broker tools that cross-reference social profiles across platforms. Leaving them open allows anyone who has your phone number or email — including someone who purchased it from a data broker — to find and link your social accounts by those identifiers.

Enable post tagging review so tagged content requires your approval before appearing on your profile.

Facebook: Settings > Profile and tagging > 'Review tags people add to your posts before the tags appear' — set to On. Instagram: Settings > Tags and mentions > Manually Approve Tags. Without this, anyone can tag you in a photo, a political post, promotional content, or a group event, and it appears on your profile immediately — visible to your network and included in your public profile view. Marketers specifically exploit open tagging to manufacture social proof on brand pages.

Use Facebook's 'Limit Past Posts' tool to retroactively restrict all old public posts to Friends.

Facebook: Settings > Privacy > Your activity > 'Limit the audience for old posts on your timeline.' This changes every post previously shared with Public or Friends of Friends to Friends only in a single action. It does not delete anything — it restricts visibility going forward. Run this before reviewing individual posts; it handles the bulk of exposure quickly, and then you can spend your time identifying posts that should be deleted entirely rather than just restricted.

Restrict who can see your friends list and follower count.

Facebook: Settings > Privacy > How people find and contact you > 'Who can see your friends list?' Set to Only Me or Friends. A public friends list lets anyone map your social network — who you know, who knows you, and the overlap. This is genuinely useful for targeted social engineering: an attacker who wants to impersonate someone you trust can study your connections to make their approach convincing. On LinkedIn, go to Settings > Visibility > Visibility of your LinkedIn connections to hide your connections list from other members.

Check whether your profile is indexed by external search engines and disable this if you want your profile off Google.

Facebook: Settings > Privacy > How people find and contact you > 'Do you want search engines outside of Facebook to link to your profile?' — set to No. Note that this change only affects future indexing; content already cached by search engines remains accessible until they re-crawl and update. Instagram public profiles are indexed by default and there is no platform-level opt-out — a private account is the only way to prevent indexing on Instagram. For content that has already been indexed and you've since made private, use Google's URL removal tool at search.google.com/search-console/remove-outdated-content to request cache removal.

Disable location tagging in posts, Stories, and check-ins across all platforms.

When composing any post, look for a location pin or 'Add Location' option and remove it. Individual location-tagged posts seem harmless, but together they create a movement log: your workplace, gym, children's school, favorite restaurants, and travel schedule. A consistent pattern — Tuesday mornings at this gym, Friday evenings at this bar, summers at this vacation home — is identifiable even without explicit labels. Review your recent posts and remove location tags from anything that reveals routine patterns or your home neighborhood.

Set location permissions for every social media app to 'While Using App' or 'Never' — never 'Always'.

iOS: Settings > Privacy & Security > Location Services > review each social app individually and change to 'While Using.' Android: Settings > Apps > [app name] > Permissions > Location > 'Only while using the app.' An 'Always On' location permission means the app can record your GPS coordinates in the background — during your commute, while you sleep, when you're at a medical appointment. No social platform requires background location to deliver its core function. If a platform prompts you to upgrade to 'Always' after an update, the correct answer is always no.

#10

Revoke microphone and camera permissions for any social app you don't use for video or voice features.

iOS: Settings > Privacy & Security > Microphone (and separately, Camera) — review which apps have access and revoke any that don't require it for a specific feature you use. Android: Settings > Apps > [app name] > Permissions. Apps that don't offer video calling, Stories, or voice messaging have no legitimate need for these hardware permissions. Even for apps that do offer these features, the permission only needs to activate when you're actively recording — not as a persistent background grant.

#11

Audit every app and website connected to your social accounts and revoke access to anything you don't actively use.

Facebook: Settings > Security and login > Apps and websites. Sort by 'Last activity' — anything inactive for three months or more should be revoked. Google: myaccount.google.com > Security > Third-party apps with account access. X/Twitter: Settings > Security and account access > Apps and sessions > Connected apps. Instagram: Settings > Security > Apps and websites. Each connected app received an OAuth access token when you authenticated. Tokens often remain valid indefinitely unless explicitly revoked — this includes apps whose companies have shut down, been acquired, or been breached. Revoking access invalidates the token immediately.

#12

Evaluate apps where you used 'Sign in with Google' or 'Sign in with Facebook' and replace critical ones with direct logins.

Social sign-in links the third-party app to your social account via an access token. If that third-party service is breached, attackers may obtain tokens that grant access to your linked social account until you revoke them. For services that hold financial data, health data, or anything professionally sensitive, create a direct email-and-password login and then disconnect the social sign-in from both the app's account settings and from your social platform's connected apps list. This is a one-time task with permanent security benefit.

#13

On Facebook, clear your Off-Facebook Activity history and configure future activity management.

Facebook: Settings > Your Facebook information > Off-Facebook activity > Clear history. This disconnects the historical cross-site behavioral data from your profile — it doesn't stop future collection, but it removes what has already accumulated. To reduce future collection, select 'Manage Future Activity' and turn off 'Future Off-Facebook Activity.' This is one of the most impactful privacy settings Facebook offers. It degrades the quality of behavioral targeting against your profile more than most other individual settings.

#14

Open your ad interest profile and remove sensitive or inaccurate interest categories.

Facebook: Settings > Ads > Ad preferences > Advertisers and businesses > Your interests. Instagram: Settings > Ads > Ad topics. Your ad profile often contains inferences the platform drew from your behavior — not categories you selected — including inferred political leaning, health conditions, life events, and financial situation. Removing sensitive inferences reduces the richness of the behavioral model tied to your account. It does not make you invisible to advertisers, but it narrows what can be specifically targeted at you.

#15

Disable settings that share your activity data with the platform's advertising partners — these are distinct from the platform's own ad settings.

Facebook: Settings > Ads > Ad settings > 'Data about your activity from partners.' Instagram: Settings > Ads > 'Data used to show you ads.' Look specifically for options with language about 'partners outside of [platform name],' 'data from other companies,' or 'advertisers off of [platform].' These settings govern data flows to third parties, not just the platform's own ad targeting, and they default to enabled. They are consistently placed at the third or fourth navigation level, making them easy to miss.

#16

On LinkedIn, turn off profile update sharing, restrict activity visibility, and disable third-party data sharing.

LinkedIn: Settings > Visibility > Visibility of your LinkedIn activity — turn off 'Share profile updates with your network' before editing your profile (it broadcasts every change to your connections). Settings > Data privacy > Third-party data sharing — LinkedIn has data-sharing partnerships with external research and advertising firms; opt out here. Also under Settings > Data privacy > Profile viewing options — switch to private mode before browsing profiles, so your name doesn't appear in others' 'Who viewed my profile' notifications.

#17

Prune your friends or followers list — remove connections you don't know, haven't spoken to in years, or don't trust.

A 'Friends Only' post reaches every person on your list. If that list includes 400 people — former classmates, conference acquaintances, people from a party years ago — that is your actual audience, not a private one. On Facebook, unfriending is not announced to the other person. On Instagram (private account), use 'Remove Follower' from your followers list — the person is not notified. There is no social obligation that justifies maintaining connections that dilute the meaning of 'private' on your account.

#18

Use platform activity log and archive tools to filter old posts by year — delete or restrict anything sensitive, identifying, or professionally compromising.

Facebook: Profile > Activity Log — filterable by year, post type, and audience. Instagram: Settings > Account > Posts, Reels, and Stories Archive. Focus on three categories in order of priority: posts containing personal information (home address, daily routine, health details, financial situation), posts that could affect professional reputation or future relationships, and posts that reveal the location or schedule of people in your life who didn't consent to being public. You don't need to delete everything old — only what you'd regret a recruiter, an estranged contact, or a stranger seeing.

#19

Remove personally identifying profile details that aren't necessary for the platform: full birthdate, phone number, home city, current employer, and relationship status.

The combination of full name, birthdate, current employer, and city is sufficient to answer most knowledge-based authentication questions used by banks, utilities, and government services — making this set of fields genuinely useful for identity theft and social engineering. On Facebook, each profile field can be set to 'Only me' individually without deleting it. On Instagram, your bio is always public on a public account — treat it as a business card visible to strangers, not a profile visible to friends. Give only what the platform's actual purpose requires.

#20

Untag yourself from photos you didn't post — particularly those that reveal your location, workplace, home, or associations you'd rather not make public.

A tagged photo does more than attach your name: it confirms your presence at a location (especially if geotagged), reveals who you were with, and connects your profile to content you didn't choose to share. On Facebook: Profile > Photos > Albums > Photos of You. Instagram: Profile > Tagged tab (the person icon). Untagging removes the connection between your profile and that post — it doesn't delete the photo from the person who posted it. If the photo itself is a concern, you'll need to ask the original poster to remove it.

#21

Search your own name in incognito mode and note what social content surfaces — this reveals your actual public footprint.

Use incognito or a private browsing window (to exclude personalization) and search '[Your Name] site:facebook.com', '[Your Name] site:instagram.com', and '[Your Name] site:linkedin.com' separately. What appears is what employers, acquaintances, or anyone researching you will find. Content that appears but shouldn't be public means a setting was either never configured or has been reset. For content that was public when indexed but has since been made private, submit removal requests via Google's 'Remove outdated content' tool — search engines don't re-crawl on demand.

#22

Verify each social account uses a unique password stored in a password manager, with two-factor authentication enabled via an authenticator app (not SMS).

SMS-based 2FA is vulnerable to SIM-swapping — an attack where a criminal convinces your carrier to transfer your phone number to a SIM they control, then intercepts your 2FA codes. Authenticator apps (Google Authenticator, Authy, or the authenticator built into most password managers) generate codes locally and are not interceptable this way. If a platform offers only SMS 2FA, use it anyway — it still blocks most automated account takeover attempts. The primary risk is targeted attacks where someone is specifically after your account.

#23

Check your active login sessions and immediately log out of any unrecognized devices or locations.

Facebook: Settings > Security and login > Where you're logged in. Instagram: Settings > Security > Login activity. X/Twitter: Settings > Security and account access > Apps and sessions > Sessions. A session from an unfamiliar city, device, or time is a strong indicator of unauthorized access. If you see one: log it out immediately from this interface, change your password, check that your recovery email address and backup phone number haven't been changed, and review recent account activity for posts, messages, or permission changes you didn't make.

#24

Permanently delete — not just deactivate — social media accounts you no longer use.

Deactivation hides your profile but leaves the account (and its vulnerabilities) intact. Old accounts are high-value targets: they typically have outdated passwords, no 2FA, and are tied to an email address you monitor infrequently — all of which make takeover much easier. A compromised old account can impersonate you to your former contacts and access any service you connected to it. Look beyond the major platforms: Tumblr, Flickr, older forum accounts, and any service where you created a social profile. Most deletions have a 30-day grace period before data is actually removed.

#25

Set a recurring calendar reminder — January and July — to revisit all platform privacy settings.

Privacy settings don't stay set. Platform updates introduce new features (new ad products, new post types, new data-sharing programs) with permissive defaults. A semi-annual check takes 20–30 minutes per platform once you've done the initial audit and catches resets before they represent months of unintended exposure. Treat this exactly like a smoke alarm battery check: brief, regular, and not optional.

#26

💡 What this audit actually does — and what it can't

Privacy settings on social platforms control who among other users and advertisers can see your content. They have essentially no effect on what the platform itself collects. Facebook logs your click patterns, dwell time on each post, scroll behavior, and device identifiers regardless of what your audience setting is. Instagram knows which posts you paused on, which profiles you visited, and which ads you lingered over — whether your account is public or private.

This audit meaningfully reduces your exposure to other people, to third-party advertisers, and to casual researchers. It does not remove you from the platform's own data infrastructure. Those are two separate problems — this checklist addresses the first. The second requires different tools entirely.

🔍 The data ecosystem this checklist doesn't cover

Social media platforms are one source of public personal data. Data brokers — Spokeo, WhitePages, BeenVerified, Intelius, Radaris, PeopleFinder, and 200+ others — aggregate your data from public records, purchase history, voter rolls, property records, and scraped social profiles into searchable dossiers. Cleaning up your Facebook settings does nothing to the profile that already exists on these services.

Most brokers offer individual opt-out pages, but the process is deliberately tedious: each service requires a separate request, some require identity verification before they'll remove your identity, and profiles often reappear within 90 days as new public records are processed. Paid services like DeleteMe (~$129/year) or Kanary automate recurring opt-outs. Manual opt-out is possible — budget 3–5 hours to cover the highest-traffic brokers.

Start with the ones that surface most in name searches: Spokeo, WhitePages, BeenVerified, Intelius, and Radaris. Search your name and city on each, locate your listing, and find the opt-out link — typically buried in the site footer under "Privacy" or "Do Not Sell My Information."

⚠️ The privacy gap no setting can close

Your settings control what you share. They don't control what your contacts share about you. A friend posting a group photo, tagging your location, or publicly recounting a conversation that includes your name is entirely outside your control. This is sometimes called the mutual exposure problem: your effective privacy level is partly a function of how privacy-conscious the people in your network are.

The practical implication: a direct conversation with close contacts about what you're comfortable being tagged in or posted about addresses this gap better than any platform setting. It's an uncomfortable topic, but it's the only lever you have for the content others create about you.

📝 What platforms retain after you delete

Deletion removes content from public view, but internal retention is a different matter:

Platform backup copies typically persist for 30–90 days post-deletion before being purged from servers
Messages you sent exist in your recipients' accounts and cannot be deleted by you alone
Legal holds can preserve data indefinitely if the account is connected to any ongoing investigation
Aggregated behavioral data derived from your activity — patterns, preferences, behavioral signals — is typically anonymized and retained permanently as part of their model training and analytics infrastructure

📖 Priya's data broker surprise

Priya did a thorough social media audit before a sensitive background check for a government contracting role. Her accounts were locked down. Six weeks later she Googled herself and found her old address, current employer, estimated age, and a list of relatives on three separate people-search sites — none of it sourced from her social accounts. It came from public records, utility registrations, and voter rolls that data brokers aggregate independently. Her afternoon of platform privacy settings had addressed one ecosystem entirely; the data broker layer was untouched and required a completely separate set of opt-out requests.

🧮 Why privacy settings are designed to be difficult

Social platforms are advertising businesses. Their revenue depends on the richness of the behavioral profiles they build on users and the precision with which those profiles can be sold to advertisers. Privacy settings that restrict data sharing directly reduce that revenue — which creates a structural incentive to make those settings hard to find, easy to miss after updates, and defaulting to the permissive state after any change.

The FTC has settled enforcement actions against platforms specifically for "dark patterns" — interface designs that make privacy-protective options harder to reach or visually deemphasized compared to data-sharing options. This context explains two recurring frustrations: why the most impactful settings are always several layers deep in the menus, and why the same settings keep resetting to permissive defaults. You are working against the interface, not with it.

🔧 What to tackle next, after the audit

Data broker opt-outs

Begin with Spokeo, WhitePages, BeenVerified, Intelius, and Radaris — these appear in most name searches. Manual opt-outs take 3–5 hours total. Profiles may return within 90 days; rechecking quarterly is necessary.

Email breach exposure

Check haveibeenpwned.com for every email address you've linked to social accounts. A breached email is the most common entry point for account takeover — especially if you reused the password anywhere.

Browser-level tracking

Social login cookies and tracking pixels follow you across the web independent of your platform settings. Firefox with uBlock Origin blocks most cross-site tracking at the browser level — a complement to anything you've changed in your apps.

⏱ Realistic time investment per platform

One platform done thoroughly is more valuable than all platforms rushed. Complete one per day to avoid decision fatigue.

60–90 min

Facebook (most complex; data archive review adds time)

20–30 min

Instagram

15–25 min

X / Twitter

25–35 min

Add 1–2 hours per platform if you plan a detailed post-by-post review. The data archive download (24–72 hours to generate) should be requested before you begin any platform — so start those requests today even if you plan to do the full audit later this week.

Master This Checklist Quickly

Every important button and option for this pre-made checklist, shown in a glance-friendly format.

Start Here

1
Click any item row to mark it complete.
2
Use the note row under each item for quick notes.
3
Use the tool row for undo, redo, reset, and check all.
4
Use Save Progress when you want to continue later.

Checklist Row Tools

UndoRedoResetCheck allCollapse/Expand sectionsShow/Hide detailsInline notes

Top Action Buttons

Open all sharing and export options in one menu.

Email DraftContinue on another devicePrint or Save as PDFPlain Text (.txt)Word (.docx)Excel (.xlsx)

Add & Ask

Open one menu for apps and AI guidance.

NotionTodoist CSVChatGPTClaude

Copy and customize

Create a new editable checklist pre-filled with your chosen content.

Save Progress

Adds this checklist to My Checklists and keeps your progress in this browser.

Most Natural Usage

Track over time

Check items -> Add notes where needed -> Save Progress

Send or export

Open Share -> Choose format -> Continue

Make your own version

Copy and customize -> Open create page -> Edit freely