Big Tech Data Privacy Scores: Who Protects Your Data?
In 2024, a federal class action moved forward against Meta for capturing healthcare data -- diagnoses, prescriptions, appointment details -- through the Meta Pixel embedded on hospital websites, without patient consent. The same year, the EU opened an investigation into how Google used Europeans' personal data to train its PaLM 2 AI model. Uber faces daily fines exceeding 584,000 euros for refusing to let drivers see the algorithmic decisions that control their livelihoods.
Every major tech company collects your data. The question is what happens when they get caught misusing it.
Mashinii's Safe & Smart Tech dimension evaluates data privacy, cybersecurity, encryption, algorithmic transparency, and AI ethics using regulatory enforcement records, court settlements, and independent investigations -- not corporate privacy policies. We scored seven of the largest technology companies. Only two managed positive scores.
How Do Tech Companies Score on Data Privacy?
| Rank | Company | Safe & Smart Tech Score | Grade |
|---|---|---|---|
| 1 | Salesforce | +30 | Privacy Protector |
| 2 | Apple | +10 | Privacy Protector |
| 3 | Uber | -30 | Data Violator |
| 4 | Microsoft | -40 | Data Violator |
| 5 | Amazon | -50 | Data Violator |
| 6 | Alphabet (Google) | -70 | Data Violator |
| 7 | Meta | -70 | Data Violator |
Scores from -100 to +100. Source: Mashinii integrity intelligence platform.
Five of seven companies scored negative. The two advertising-funded giants -- Alphabet and Meta -- sit at the bottom with identical -70 scores. For a head-to-head breakdown of the three largest players, see our comparison of Google, Microsoft, and Apple on privacy.
What Google, Meta, and Amazon Know About You
Data privacy is abstract until you consider what these companies actually collect. Here is what the regulatory and court record documents for the five lowest-scoring companies.
Google: Location data from 136 million users tracked via Chrome's "Incognito" mode, even after users explicitly opted for private browsing. Google was forced to purge billions of data files in a 2024 settlement.
Meta: Healthcare data -- including diagnoses, prescriptions, and doctor visit details -- captured via the Meta Pixel embedded on hospital websites, without patient knowledge or consent. A federal class action is proceeding.
Amazon: Productivity data from warehouse workers tracked second-by-second through handheld scanners, including idle time and movement speed. France's CNIL fined Amazon 32 million euros for the practice in 2024.
Microsoft: The "Recall" feature, introduced in 2025, takes screenshots of everything on your screen every few seconds and stores them locally. The UK's Information Commissioner's Office contacted Microsoft over the implications.
Uber: Algorithmic decisions that deactivate drivers -- ending their income -- with no human review and no access to the data behind the decision. Courts have repeatedly ruled against Uber's claim that these algorithms are trade secrets.
Which Tech Companies Protect Your Data Best?
Salesforce (+30): Red Teaming That Works
Salesforce is the only company in this group with both an articulated AI ethics framework and documented enforcement. The company maintains Trusted AI Principles and an updated AI use policy that bans applications like deepfakes. A Chief Ethical and Humane Use Officer publicly advocates for stronger regulation.
The concrete measure: in September 2024, red teaming exercises -- both internal and external -- identified and mitigated vulnerabilities in Salesforce's AI products, resulting in a 90% reduction in problematic outputs from adversarial prompts. Salesforce joined NIST's U.S. AI Safety Institute Consortium in February 2024 to help develop AI guidelines and standards. No major data breaches or significant privacy fines appear in the regulatory record.
Salesforce was also named one of the World's Most Ethical Companies by the Ethisphere Institute for the 16th time in March 2025, based on an evaluation of its culture, ethical and compliance activities, and environmental and social practices.
View Salesforce's full score breakdown
Apple (+10): Privacy Architecture With Regulatory Friction
Apple has invested heavily in privacy infrastructure. The PQ3 protocol, introduced in February 2024, fortifies iMessage against quantum computing threats. End-to-end encryption was extended to iCloud Backups, Notes, and Photos in December 2022. Apple Intelligence emphasizes on-device AI processing and a Private Cloud Compute architecture verified by independent experts.
The record includes two regulatory actions. France's antitrust watchdog fined Apple 150 million euros in March 2025, ruling that App Tracking Transparency was "neither necessary nor proportionate." Apple also settled a $95 million lawsuit in December 2024 over allegations that Siri recorded users without consent.
Apple's proactive decision to delay Apple Intelligence features in the EU to address Digital Markets Act concerns is documented in regulatory filings. The positive score reflects a company that has built privacy into its product architecture, even where implementation has drawn regulatory challenge.
View Apple's full score breakdown
The Worst Data Privacy Violations by Tech Companies
Uber (-30): 290 Million Euros and Algorithmic Opacity
Uber scored -30, placing it at the top of the negative tier. The Dutch Data Protection Authority fined Uber 290 million euros in 2024 for improperly transferring European drivers' data to the United States -- one of the largest GDPR penalties issued to date. An additional 10 million euro fine followed for privacy rights violations concerning driver data.
Uber's algorithmic transparency record raises separate concerns. Courts have ruled against the company's reliance on trade secrets to deny drivers access to data about AI-powered deactivations. Uber faces ongoing daily fines exceeding 584,000 euros for failing to comply with EU algorithmic transparency requirements.
On the positive side, Uber maintains PCI DSS 4.0 Level 1 and ISO 27001 certifications and offers user data controls including a Privacy Check-up feature. It conducts regular AI audits with human-in-the-loop processes. The gap between certification and regulatory enforcement remains wide.
View Uber's full score breakdown
Microsoft (-40): AI Governance Leader, Privacy Controversy Magnet
Microsoft presents a contradictory picture. The company was recognized as a leader in AI Governance Platforms in November 2023 and proactively obtained a court order in February 2025 to seize a website operated by developers circumventing AI safeguards to produce deepfakes.
But Microsoft disbanded its AI ethics and society team in March 2023. In January 2025, subsidiary LinkedIn was sued for allegedly disclosing users' private messages to third parties without permission to train AI models. The lawsuit claims privacy settings were not effectively communicated, and opting out would not affect previous data use.
The most scrutinized development: Microsoft's "Recall" feature, introduced in May 2025, takes screenshots of user activity every few seconds. The U.K. Information Commissioner's Office contacted Microsoft about potential privacy issues. The FTC previously fined Microsoft $20 million for children's privacy violations.
View Microsoft's full score breakdown
Data Privacy Red Flags for Investors
Amazon (-50): Employee Monitoring, Breaches, and Biased AI
Amazon experienced a data breach in 2024, linked to a May 2023 third-party vendor vulnerability, that affected 2.8 million records. France's CNIL fined Amazon France Logistique 32 million euros in January 2024 for intrusive employee monitoring through handheld scanners that tracked productivity metrics in violation of GDPR.
Amazon's AI record includes documented bias in its recruitment tool and racial and gender biases found in its Rekognition facial recognition technology. While AWS achieved ISO/IEC 42001:2023 certification for AI management, the pattern of incidents documented in regulatory filings suggests privacy practices have not kept pace with compliance infrastructure.
View Amazon's full score breakdown
Alphabet (-70): AI Training on Your Data Without Consent
Alphabet shares the lowest score in this analysis. In September 2024, the EU opened a formal investigation into whether Google violated European privacy laws by using personal data to train its PaLM 2 AI model -- raising the question of whether every Gmail, Google Doc, and Google Maps interaction contributed to AI training without meaningful user consent.
The Incognito mode settlement in April 2024 revealed the scale of the problem: Google had tracked over 136 million users who explicitly chose private browsing, and was forced to purge billions of data files. Employees reported that the rush to release AI products led to ethical lapses and insufficient safety checks. In February 2024, Google acknowledged its AI image generator "overcompensated" for diversity and temporarily removed the feature.
Alphabet's water withdrawal increased 27% between 2023 and 2024, reaching 11 billion gallons -- a privacy-adjacent concern as the infrastructure required to process data at this scale demands enormous physical resources.
View Alphabet's full score breakdown
Meta (-70): Your Health Data, Their Advertising
Meta matches Alphabet at the bottom. The most underreported privacy violation may be the Meta Pixel: embedded on hospital and telehealth websites, it captured patients' healthcare data -- diagnoses, prescriptions, appointment details -- and transmitted it to Meta's advertising infrastructure. A federal class action is proceeding after courts rejected Meta's motion to dismiss.
Beyond healthcare data, Meta's penalty record spans billions in fines across three continents. The $1.4 billion facial recognition settlement in July 2024 concerned the use of biometric data from millions of users without consent. A EUR 390 million penalty in January 2023 addressed the forced acceptance of personalised advertising. A EUR 91 million fine in October 2024 confirmed that Meta stored user passwords in plain text.
Forty U.S. states urged Meta to address a surge in account hijackings, with New York reporting a 1,000% increase since 2019. Meta paused AI training with European user data in June 2024 after regulators intervened. The European Commission has opened formal proceedings regarding deceptive advertisements under the Digital Services Act.
View Meta's full score breakdown
Why Ad-Funded Tech Companies Score Worst on Privacy
The pattern in the data is structural. Companies whose revenue depends on advertising -- Alphabet and Meta -- scored lowest. Their business model requires maximising the volume of personal data collected, creating a fundamental tension with privacy protection. When Meta generated $164 billion in revenue in 2024, a EUR 1.2 billion fine amounted to less than three days of income.
Companies that sell products or subscriptions -- Apple and Salesforce -- have a different incentive. Privacy becomes a competitive feature rather than a cost. The regulatory environment is accelerating: the EU's AI Act, the U.S. state-level privacy laws proliferating since 2023, and enforcement actions growing in both frequency and scale all suggest that companies with structural privacy challenges face mounting financial exposure.
For a broader view of how ethical scores distribute across the market, see our S&P 500 ethical scores analysis.
How We Score
Every score on this page is derived from regulatory enforcement records, court settlements, and independent investigations. No corporate self-assessments. Every claim links to its source. Learn more about our methodology.
Every company scored here can be explored in full on the Mashinii platform. Advisors working with clients who hold tech-heavy portfolios can use this data to surface privacy risks that traditional ESG ratings often miss. See the advisor solution.
Audit My Portfolio | Search Any Company | View Rankings
Mashinii provides integrity data for informational purposes. This content does not constitute financial advice. Investment decisions should be made in consultation with a qualified financial adviser and should account for your individual circumstances and risk tolerance.