In the UK this should have been reported to CEOPS. They have specific requirements for social media companies, such as:
Only collect the personal data you actually need for your service.
Tell users what information you collect, why and how long you’ll keep it.
Give users reasonable choices about how to use their personal information and specific types of data, such as geolocation data.
Offer privacy settings options, including privacy-by-default, to give control to your users.
Looks like Facebook fails on all points, as usual.