Social Media Privacy Settings Checklist by Platform

Overview

If you use social platforms for work, publishing, networking, or everyday communication, privacy is not just about secrecy. It is about control. The right privacy settings reduce unwanted attention, limit impersonation risk, lower exposure to phishing attempts, and help you decide what strangers, followers, search engines, and data partners can learn about you.

This matters for both individuals and website owners. A public-facing profile may be useful for discoverability, but oversharing can create openings for account takeover, social engineering, and identity theft prevention failures. Details like your birthday, direct email address, phone number, staff names, travel schedule, or family connections can be stitched together by scammers. That is why a good privacy settings checklist should not stop at “make your account private.” It should help you choose what should stay public, what should stay restricted, and what should be removed entirely.

Across most major platforms, review these categories first:

• Profile visibility: Who can see your bio, follower list, posts, stories, and activity.
• Discoverability: Whether people can find you by phone number, email address, or search engine indexing.
• Tagging and mentions: Who can tag you, mention you, or attach your profile to content before approval.
• Direct messages: Who can message you, send requests, or add you to group conversations.
• Location and metadata: Whether your posts expose live location, check-ins, device details, or contact sync data.
• Ads and tracking: Whether the platform can personalize ads based on activity, partners, or off-platform behavior.
• Login and recovery: Password strength, two-factor authentication, backup methods, and login alerts.
• Connected apps: Third-party tools, social logins, scheduling tools, and old integrations you no longer use.

Think of privacy as layered control. Public content settings handle visibility. Safety settings reduce abuse. Security settings protect access. Data settings limit how much the platform and its partners can collect or infer. If you want a broader device and browser baseline, pair this checklist with Browser Privacy Settings Guide: What to Change and Why.

Checklist by scenario

Use the scenario that best matches how you use social media. Many readers will need a mix of these rather than just one.

1. Personal account checklist

If your account is mainly for friends, family, or casual posting, your default should lean private.

• Set your account, posts, stories, or activity feed to friends, approved followers, or a restricted audience where available.
• Turn off discoverability by phone number and email if the platform allows it.
• Hide or limit visibility of your follower list, following list, and friends list.
• Require approval for tags, mentions, photo tags, or timeline posts before they appear publicly.
• Restrict who can send direct messages, voice calls, or group invites.
• Review profile fields and remove unnecessary details such as full birth date, hometown, relationship status, workplace email, or school history.
• Disable contact syncing unless you actively need it.
• Turn off precise location sharing and avoid posting in real time from home, school, or a routine location.
• Enable two-factor authentication and save backup codes offline.
• Review logged-in devices and sign out sessions you do not recognize.

2. Creator, freelancer, or public-facing professional checklist

If visibility is part of your work, the goal is selective openness rather than maximum privacy. You may want public posts but private recovery details and tighter message controls.

• Keep your public bio minimal and professional. Use a business email alias instead of a personal address.
• Decide whether your follower list should be visible. In some cases, hiding network connections reduces scraping and impersonation attempts.
• Set comments, mentions, and tags to filtered or approval-based where possible.
• Limit direct messages to followers, verified contacts, or approved requests.
• Remove personal landmarks, home-area references, and schedule patterns from stories and short-form posts.
• Check whether your profile can be found through synced contacts and turn that off if it is not essential.
• Review ad settings and opt out of unnecessary personalization where options exist.
• Separate brand tools from personal tools. Do not connect every third-party app to your main account.
• Use strong login protections and assign shared access carefully if a team helps manage content.
• Create a simple impersonation response plan: profile link, backup contact channel, and reporting steps.

Public-facing accounts are frequent targets for phishing scam warning patterns, including fake copyright complaints, fake verification offers, and fraudulent brand collaborations. For broader email threat patterns, see Phishing Email Red Flags: An Updated Guide With Real-World Patterns.

3. Business page or brand account checklist

Business accounts often expose more information than personal accounts because multiple people need access. That makes role management just as important as audience settings.

• Audit who has admin, editor, moderator, analyst, or ad-account access.
• Remove former employees, contractors, agencies, or unused partner connections.
• Use named roles instead of shared passwords whenever possible.
• Enable login alerts and two-factor authentication for every administrator.
• Review what contact information is displayed publicly and remove personal phone numbers or direct staff addresses.
• Check messaging settings so scam requests and spam do not reach junior staff without filters.
• Limit who can comment, post to the page, tag the account, or mention the page in ways that look official.
• Review connected apps, social schedulers, CRM integrations, and auto-post tools.
• Confirm that public links point to the correct website and not an outdated domain or vanity URL.
• Document recovery steps in case the page is locked, impersonated, or hijacked.

If your public profile links to a website, domain trust matters too. A compromised or lookalike domain can undermine the safest social setup. See How to Check a Domain Before You Trust a Website and Is This Website Safe? A Practical Checklist for Spotting Scam Sites.

4. Platform-by-platform privacy settings checklist

The exact labels change, but these are the settings areas worth reviewing on the most commonly used networks.

Facebook privacy settings

• Who can see future posts, past posts, friends list, and story content.
• Who can send friend requests or find you using phone number or email.
• Timeline review and tag review before posts appear on your profile.
• Profile information visibility for birthday, workplace, location, and family details.
• Off-platform activity and ad preference settings.
• Location history, facial recognition-style features if offered, and contact syncing.

Instagram privacy settings

• Public versus private account status.
• Story audience, close friends lists, and reply permissions.
• Comment controls, hidden words, mention limits, and tag approval.
• Activity status visibility and message request controls.
• Contact syncing, cross-posting, and linked account permissions.
• Login activity and device review.

TikTok privacy settings

• Private account toggle and who can view videos, likes, and following lists.
• Who can comment, duet, stitch, mention, or download videos.
• Direct message permissions and suggestion settings.
• Profile recommendation options and contact-based discoverability.
• Ad personalization and data-sharing preferences where available.
• Restricted mode, family pairing, or audience controls if relevant.

LinkedIn privacy settings

• Profile viewing options and public profile visibility.
• Email address and phone discoverability.
• Connection list visibility and follower settings.
• Profile updates broadcast to your network.
• Advertising data and third-party data use.
• Account access, sign-in verification, and device management.

X, Threads, Reddit, or similar conversation-first platforms

• Post visibility, account discoverability, and whether search engines can index your profile.
• Mention, message, and reply permissions.
• Location labeling on posts.
• Audience controls for media, communities, or subscriptions.
• Data-sharing, ad personalization, and contact import settings.

For any platform, if a setting seems unclear, test it from another account or a private browser window instead of assuming it works the way the label suggests.

What to double-check

A privacy audit often fails because people only review visible content settings and skip the hidden details that expose them indirectly. These are the areas to verify carefully.

Account recovery methods

Your recovery email and phone number should be current, secure, and not widely published. If your public contact email is also your account recovery email, separate them. This reduces the damage if one address is targeted by phishing or credential stuffing.

Old posts and archives

Privacy settings do not always rewrite the audience for older content. Review old albums, story highlights, pinned posts, and videos. Remove posts that reveal addresses, license plates, school names, children’s routines, or travel habits.

Linked apps and social logins

Third-party quiz apps, automation tools, AI helpers, shopping tools, and old social login connections can keep data flowing long after you stop using them. Revoke what you no longer need. The same principle applies to browser extensions and mobile apps with broad permissions.

Searchability outside the platform

Some profiles are visible not only inside the app but also in search engines, people-search tools, and data broker listings. Tightening social media privacy settings is useful, but it does not remove previously exposed information from the wider web. If discoverability is a concern, review How to Remove Your Information From Data Broker Sites.

Message requests and malicious links

Direct messages are a common route for scams, fake collaboration offers, account warnings, and malicious link warning attempts. If you accidentally interact with a suspicious message, follow a containment process quickly. This guide can help: What to Do After Clicking a Suspicious Link.

Common mistakes

Most privacy mistakes are not dramatic. They are small, cumulative, and easy to miss.

• Assuming private means invisible. Even with a private account, your profile photo, username, bio, and interaction patterns may still be visible.
• Leaving friend, follower, or connection lists open. These lists are valuable to impersonators and recruiters of scam campaigns.
• Using the same phone number everywhere. A phone number tied to multiple apps can increase discoverability and targeting risk, including smishing examples and account recovery abuse.
• Keeping location habits public. Repeated gym, school, office, or neighborhood references create a pattern even when no single post seems sensitive.
• Ignoring tag review. Friends, customers, and strangers can expose you with one tagged photo or event post.
• Forgetting old accounts. Dormant profiles on older platforms may still rank in search and reveal more than active ones.
• Confusing safety with privacy. Comment filters and blocking tools help, but they do not replace audience and discoverability controls.
• Not testing settings after updates. Platforms change menus, defaults, and feature rollouts. A setting that was once off may be moved, renamed, or reset.

If you manage campaigns, social selling, or creator partnerships, there is one more mistake to avoid: letting convenience override separation. Keep admin access, public contact channels, and personal identity details distinct wherever possible.

When to revisit

The most useful privacy settings checklist is one you return to before something changes, not only after a problem appears. Revisit your settings in these situations:

• Before seasonal planning cycles, product launches, conferences, or travel periods.
• When you change jobs, roles, business partners, or team access.
• When a platform introduces new messaging, AI, recommendation, audience, or ad features.
• After a phishing attempt, suspicious login alert, impersonation report, or online scam alert.
• When you start using a profile more publicly than before.
• When you stop using a platform and want to lock down or remove the account.

Make the review simple and repeatable:

1. Open each active social platform.
2. Check visibility, discoverability, messaging, tags, location, ads, and login security.
3. Review old posts and connected apps.
4. Test what a stranger can see from outside your account.
5. Update your password manager and backup codes if you changed security settings.

That five-step process is enough for most routine audits. You do not need to chase every menu weekly. What you do need is a habit of checking before your exposure changes. Social media privacy settings are not a one-time setup. They are maintenance. A short review now can prevent the much longer work of cleaning up impersonation, phishing fallout, or overshared personal data later.

If you want to build a fuller online privacy checklist beyond social platforms, combine this article with your browser settings, device permissions, and data broker removal work. Those layers support each other, and they age well when revisited on a schedule.