Over the last few weeks, we have discussed how the data that social media platforms gather can be used by brands for audience segmentation and ad targeting. However, the use of this data raises questions about the efficacy of tracking user data. To help regulate data collection, laws have been enacted. This causes social media platforms to include privacy policies. To see how these laws affect social media data collection, we will analyze Bluesky’s privacy policy. Before we discuss Bluesky’s privacy policy, though, let’s first discuss Bluesky itself.
About Bluesky
Bluesky is a newer social media platform that offers a similar platform to X. Having started as a project to build an open social protocol for public conversations under X’s old CEO, Jack Dorsey (while it was still called “Twitter), it has been its own company since 2021. According to their FAQ, Bluesky aims to imitate the early days of the internet, where anyone could blog and subscribe to multiple blogs. The developers hope this will usher in a new era of experimentation and innovation in social media.
Bluesky uses an AT Protocol for public conversation and an open-source framework to build social apps, aiming for transparency in its build and development. What this does is allow users to transfer their data from server to server without having to create new accounts. This separates it from other similar platforms like Mastodon, where user experience depends on the server they join. While on Bluesky, user experience depends on the other feeds and accounts the user follows.
What is significant about Bluesky’s AT Protocol from a privacy perspective is that it stores user data accessible across multiple servers. Rather than having to share this data with each server, each server can access the data whenever needed. However, this data is not shared without transparency from Bluesky, as is required by data protection laws.
Privacy Laws
The General Data Protection Regulation (GDPR) is a data protection law implemented by the European Union (EU) that gives individuals control over their personal data (Barnhart, 2020). This regulation sets down the following principles:
- Data collectors, such as social media platforms, should practice lawfulness, fairness, and transparency in their interactions with data subjects.
- Data collectors should collect data only for legitimate purposes, disclosed to the data subject at the time of collection.
- All data collected should be kept accurate and up to date.
- Additionally, they should store data only for as long as necessary for the specified purpose.
- Data collectors are responsible for demonstrating GDPR compliance with all principles.
The point of GDPR is not to punish or restrict marketers, but to give users peace of mind by giving them ownership of their own data. In addition to the GDPR, certain jurisdictions enforce further regulations. For example, California has its own privacy act.
The California Consumer Privacy Act (CCPA) impacts digital advertising and the media industry, specifically affecting digital ad personalization, consumer rights, and data transparency for users in California (IAB, 2020). It is a framework that requires any platform to communicate to users about their privacy rights and the ability to opt out of the sale of their personal data. As well as how platforms must communicate with technology companies that a California user has opted out of the sale of their personal data, as well as how companies must operate after a California user has opted out of the sale of their personal data. As a result, other CCPA requirements include a single point-of-contact interface for users to contact the platform. Another requirement is that when a Californian user opts out of the sale of their personal data, there must be a subsequent change in the user’s experience. One last requirement is that there must be a method on the platform to do two things: disclose all information required by the CCPA, and indicate whether a Californian user has opted out of the sale of their personal data.
Like the GDPR, the CCPA is not trying to restrict or punish marketers but instead to give users peace of mind by offering them the option to opt out of the collection of their personal data. Where you can see the effects of the GDPR and CCPA are in social media privacy policies. As an example, Bluesky’s privacy policy will be discussed.
Bluesky’s Privacy Policy
Bluesky seems to have a clearly defined privacy policy page that, at the top, includes a table of contents, allowing a user to go directly to the section they want to read. According to the privacy policy, Bluesky will collect personal data provided by the user upon account creation, including the user’s email address, phone number, images uploaded to the user’s profile, birth date, and username. This is all the bare-minimum data a user needs to have a profile on the platform. Personal data is also collected by Bluesky through users’ communication with Bluesky support, including the user’s name, email address, or phone number used to contact Bluesky.
Section 11 discloses how Bluesky will share your personal data, which includes providing Bluesky services, to protect Bluesky itself or others, to other Bluesky companies, to obtain professional services from professional advisors, and sharing in the case of a merger, sale, or other asset transfer.
Section 6 of Bluesky’s privacy policy is titled “If you do not want to provide personal data,” which tells the user that if they do not want their personal data collected, then they cannot access the Bluesky service. It is explained that, under applicable laws, they are required to collect this information; if you do not consent to it, they cannot provide you with their services. To still follow the CCPA, Section 15 is titled “Supplemental Notice for Certain Jurisdictions.” Which provides supplemental information about personal data collected based on the user’s jurisdiction. Under section 15Av, it discloses California-specific supplemental information. This includes information on how you may exercise your rights in relation to Personal Data, as outlined in the policy under section 13, with a link to email the Bluesky Support team to request that your private data not be collected.
Another section worth mentioning is section 13, which discusses the privacy rights and choices of Bluesky users, which includes the ability to opt out of email notifications, mobile device notifications, and the collection of specific location-based information. While notifications do not affect personal data, the specific location-based information is personal data.
While Bluesky’s privacy policy does its best to provide as much information and transparency as possible, it still has room for improvement. Users still have some concerns.
Privacy Concerns
It is good practice to be upfront with privacy practices, but it does not completely alleviate users’ concerns. A specific concern about Bluesky’s current privacy policies is that public posts on Bluesky remain accessible to third parties, making them vulnerable to data scraping and AI data training (Sevilla, 2024). This means that even if Bluesky is not doing business with these third parties, they can still data-mine the website and extract users’ personal data.
More than scraping data from public posts, because end-to-end encryption is not part of Bluesky’s direct messaging system, third parties can monitor conversations and identify targets for advertising (Zero Fox Team, 2026). However, Section 15Ai discloses that Bluesky will not share or sell your personal data for targeted advertising. While Bluesky claims it will not explicitly hand over this information for profit, third parties can still mine it.
The ease with which third-party actors can mine this data was demonstrated by researchers, who found they could extract over 1 million posts, including text, metadata, reply relationships, and media attachments (Cole, 2024). The fact that researchers were able to collect this data so easily is a major concern for user privacy on Bluesky. This means that literally anyone could do the same thing.
While this is not a privacy concern, a compliance issue Bluesky faced in the past was being under fire from the European Union (EU) for failing to disclose all required information. Specifically, the website did not disclose the number of users the platform has in the EU as of November 2024 (Van Campenhout, 2024). However, since the Bluesky FAQ has been updated to state that, as of February 2026, Bluesky has over 42 million users. What this shows is that when Bluesky was not in compliance with the law, they were able to address the issue by simply adding a user count to the FAQ. Bluesky can have the same sort of reaction to the privacy issues brought up by users.
Suggestions to Improve Bluesky’s Privacy Practices
In chapter 12 of The Marketing Campaign Playbook by Sharon Lee Thony, it is explained that to stay agile in the fast-changing digital landscape, a business must encourage continuous learning, regularly review and update its strategies, and use data and analytics to inform decision-making. Based on this, Bluesky can use the data from concerns about its privacy practices to revise its privacy policy and practices.
With the previously discussed privacy concerns addressed, Improvements that Bluesky could make to its privacy practices include:
- Offering end-to-end encryption for direct messaging to protect users’ conversations from third-party monitoring.
- Changing the AP Protocol to make it harder for third parties to data mine the data of users or to feed the information into AI.
- Adding a watermark to photos downloaded from Bluesky to prevent images from being fed into AI.
Any privacy concerns from users are data that Bluesky can use to inform its decision-making. By updating its policies and practices and continually adapting to address users’ privacy concerns, Bluesky will build greater trust between the platform and its users and provide greater peace of mind.
Concluding Thoughts
Bluesky is still a relatively new social media platform, launched in 2024. In its short existence, it has attracted over 42 million users, and its privacy policy complies with the GDPR and CCPA. Despite its large and growing user base, Bluesky’s privacy practices could still be improved by addressing users’ current privacy concerns to build trust and ease their concerns. As time goes on, more privacy concerns among users may arise, but Bluesky can re-evaluate and address them to reaffirm the trust between Bluesky and its users.
References
About Bluesky. Bluesky. (n.d.-a). https://bsky.social/about/faq
Barnhart, B. (2025, August 29). GDPR and social media: What marketers need to know. Sprout Social. https://sproutsocial.com/insights/gdpr-and-social-media/
California Consumer Policy Act. Interactive Advertising Bureau. (n.d.). https://www.iab.com/topics/privacy/ccpa/
Cole, S. (2024, November 27). Someone made a dataset of one million Bluesky posts for “machine learning research.” 404 Media. https://www.404media.co/someone-made-a-dataset-of-one-million-bluesky-posts-for-machine-learning-research/
IAB CCPA Compliance Framework for Publishers & Technology Companies. Interactive Advertising Bureau. (2019, December 4). https://www.iab.com/wp-content/uploads/2019/12/IAB_CCPA-Compliance-Framework-for-Publishers-Technology-Companies.pdf
Privacy policy. Bluesky. (n.d.). https://bsky.social/about/support/privacy-policy
Sevilla, G. (2024, December 2). Bluesky’s privacy problems: Openness vs. user data safety in the age of AI scraping. EMARKETER. https://www.emarketer.com/content/bluesky-s-privacy-problems–openness-vs–user-data-safety-age-of-ai-scraping
Thony, S. L. (2024). Chapter 12: Adapting to Change. In The Marketing Campaign Playbook: A Step-by-Step Guide for Entrepreneurs, Marketers & Small Business Owners. essay, STK MTK Entertainment.
Van Campenhout, C. (2024, November 25). EU says Bluesky is violating information disclosure rules. Reuters. https://www.reuters.com/technology/eu-says-bluesky-is-violating-information-disclosure-rules-2024-11-25/
Zero Fox Team. (2025, December 29). Is Bluesky safe? A complete guide to Bluesky Security. ZeroFox. https://www.zerofox.com/blog/bluesky-security-guide/
Home 