Meta AI: Is the Conversational Assistant Really Harvesting Data?

Since the 2010s, major platforms have built their dominance on monetizing attention (targeted advertising, recommendation algorithms). With the advent of generative AI, a new paradigm is emerging: not just capturing attention, but directly interacting with users in increasingly personalized and contextual spaces.

Meta, by integrating its assistant into the Facebook/Instagram ecosystem, crosses a threshold in data exploitation. User consent, often diluted in complex interfaces and opaque privacy policies, seems increasingly symbolic.

Surfshark's study highlights the extent of data collection by AI chatbots: all analyzed applications collect user data, 45% collect geolocation, and nearly 30% (notably Jasper, Poe, and Copilot) engage in ad tracking, meaning they cross-reference data with other services or sell it to data brokers. 

Data brokers are companies specializing in buying and selling personal data. They compile information from applications, websites, and public databases to create detailed user profiles, which are then sold to advertisers, insurers, employers, and sometimes even public agencies.

Among the largest companies in this sector are Acxiom, Experian, Epsilon, and Oracle Data Cloud, which make billions of dollars exploiting this information. Despite increasing regulation in some regions, the market remains scarcely controlled globally.

 

According to the study, Meta AI is the only one collecting data on financial information, health, and fitness. The application doesn't stop there: it's also the only one collecting particularly sensitive information: racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, union membership, political opinions, genetic information, or biometric data.

 

Maud Lepetit, France manager at Surfshark, warns:

 

Meta AI is also the only one along with Copilot to collect user identity-related data for sharing with third parties for targeted advertising. However, with 24 types of data exploited, it stands out significantly from Copilot, which uses only two (device ID and ad data).

OpenAI takes a more cautious approach. With only 10 types of collected data, including contact details, user content, usage and diagnostic data, ChatGPT neither uses ad tracking nor shares with third parties for commercial purposes. Moreover, the "temporary chats" option, deleted after 30 days, offers an interesting compromise between service continuity and privacy. Its users can also request OpenAI to delete their data for model training.

The Chinese solution DeepSeek positions itself midway with 11 types of collected data, including chat history. However, the data storage location (the People's Republic of China) and a major security breach reported by The Hacker News (leak of over a million conversation records) remind us that server location and cybersecurity practices weigh as much as the amount of collected data.

While Meta will begin data collection in France and Europe as of May 27 to train its AI models, Maud Lepetit reminds:

If you oppose the exploitation of your personal data by Meta, you must do so before this deadline. Its approach, based on the "opt-out" principle, where the user must express refusal, rather than explicit consent ("opt-in"), raises questions about its compliance with GDPR. The legitimate interest invoked by Meta to justify this collection without prior consent has led NYOB and consumer associations to continue their actions against the company. The CNIL, for its part, considers that using legitimate interest as a legal basis for training an AI system is not illegal per se, but requires careful assessment of the interests and fundamental rights of the individuals concerned.