TL;DR: Facebook strips most EXIF metadata from the photos it serves publicly. When you upload an image, Facebook re-encodes and resizes it, and that processing discards the original EXIF block—including GPS coordinates, camera serial numbers, and capture timestamps—from the version other users can download. So someone who saves your public Facebook photo will usually not find your location buried in the file. But "Facebook removes EXIF" is only part of the story. Facebook still receives your original file with all its metadata intact, the optional check-in and location tags you add are fully public, and Facebook attaches its own tracking identifiers (a
fbidand an IPTC special-instructions tag) to the files it serves. Any photo you share off-platform may still carry the data Facebook never touched. The reliable habit is to strip metadata yourself before uploading rather than trusting any platform to do it for you.
One of the most common privacy questions we get about social media is whether posting a photo to Facebook leaks your location. The reassuring news is that the public image Facebook serves is heavily processed, and the original EXIF block—the invisible data your camera writes into every shot—generally does not survive that processing. But the more useful answer is longer, because the reasons Facebook strips that data have nothing to do with protecting you, and the gaps in that protection are exactly where people get caught out. Below we explain what actually happens to your Facebook photo metadata when you click "Post," what the platform keeps for itself, and where the genuine exposure lives.
Every photo you upload to Facebook is re-encoded on the way in—and that pipeline is where most of your EXIF data disappears. Photo by ready made on Pexels.
What Happens to a Photo When You Upload It
To understand why Facebook removes EXIF data, it helps to know what the platform is actually doing to your image. When you upload a photo, Facebook does not store the exact file you sent and hand it back unchanged. Instead it processes the image: it resizes the photo into several display dimensions, compresses it heavily to save bandwidth, and re-encodes it as a new JPEG optimized to load fast for billions of people on every kind of connection. That re-encoding step builds a fresh file from the raw pixel data, and a fresh JPEG does not inherit the original EXIF block unless the software deliberately copies it across. Facebook's pipeline does not copy the camera EXIF across.
The result is that the photo on your timeline is a stripped-down derivative. If you or anyone else downloads that public image and inspects it with a metadata viewer, you will typically find none of the sensitive camera fields—no GPS coordinates, no camera make and model, no lens serial number, no original capture timestamp. The EXIF data your phone wrote when you pressed the shutter simply does not make it through Facebook's servers and onto the version the public sees.
This is consistent with how most large social platforms behave, and the motivation is not your privacy—it is performance and storage cost. Stripping the heavy metadata block makes files smaller and faster to serve, and re-encoding gives Facebook uniform images it can cache and distribute efficiently across its content network. Privacy researchers, including the Electronic Frontier Foundation, have long pointed out that this incidental stripping is real but should never be mistaken for a privacy feature, because it is a side effect the company can change at any time and one that only applies to the copy of the file Facebook chooses to publish. We walk through the same dynamic on a related platform in our breakdown of whether Instagram actually removes EXIF data when you upload—and the pattern is nearly identical, which is no surprise given both apps run under the same parent company.
What Facebook Adds Back: fbid and IPTC Tags
Here is a wrinkle most people never notice. Facebook does not just remove metadata—it adds its own. If you download a photo straight from Facebook and open it in a metadata viewer, the camera EXIF is gone, but you will often find new fields that were not in your original file. The most well-known is a long numeric identifier embedded in the image, sometimes surfaced in the file name or in an IPTC "special instructions" field, that ties the image back to Facebook's own records.
This identifier, commonly called an fbid, is a tracking handle. It does not contain your GPS location, but it is a thread that can link a downloaded image back to the account, post, or upload event it came from. Security researchers have demonstrated that these embedded IDs persist even after a photo is downloaded and re-shared elsewhere, which means a "Facebook photo" can be traced as a Facebook photo long after it leaves the platform. So the accurate picture is not simply "Facebook strips your metadata." It is "Facebook strips your camera metadata and replaces it with its own identifying metadata." One channel of information closes; another quietly opens.
For most casual posting this matters little. But if you are sharing images and assume a clean file means an anonymous file, the presence of platform-injected identifiers is worth knowing about—especially for journalists, activists, or anyone who needs a photo to be untraceable.
What Facebook Keeps—and What It Knows
Stripping the public copy does not mean the original metadata is gone. When you upload, your complete file—GPS, serial number, capture timestamp, and all—travels to Facebook's servers before any stripping happens. Facebook receives the untouched original. What the company does with that data internally, how long it retains it, and how it feeds advertising and recommendation systems is governed by its own privacy policy rather than by anything visible to you. The honest framing is not "Facebook deletes my location." It is "Facebook removes my location from the file other people can download, while keeping the original for itself."
There is also a whole category of location data Facebook never strips, because you volunteered it. The optional check-in, the location sticker, and the place tag are deliberate, public labels. They are entirely separate from EXIF. EXIF GPS is invisible coordinates baked into the file; a check-in is a visible flag you choose to attach. Removing the former does nothing about the latter. Tag your posts at your home, your gym, your kid's school, and your regular coffee shop, and over time those tags reveal a routine far more precisely than a single buried GPS coordinate ever would. Consumer advocates at Consumer Reports have repeatedly warned that voluntary location sharing—not hidden EXIF—is where most everyday over-exposure actually comes from.
The lesson is that EXIF removal closes one narrow channel of leakage while leaving two wide open: the original data Facebook retains on its end, and the location you hand over voluntarily through check-ins, tags, and captions.
Stripping happens only after your full file reaches Facebook's servers—the original, with GPS intact, arrives first. Photo by energepic.com on Pexels.
Where the Real Exposure Lives
If the public Facebook photo is mostly stripped, where does the genuine risk come from? Three places, and none of them is the public timeline.
The first is off-platform sharing. The moment a photo leaves Facebook's upload pipeline, the protection evaporates. If you send the original image to someone through Messenger as a file attachment, email it, or save it to a shared drive, you are moving your own original—the one with full EXIF intact—not Facebook's stripped derivative. People assume that because a photo "is on Facebook," it is safe everywhere, but the stripped version exists only on Facebook's servers. The geotagged master still sits in your camera roll, ready to leak the moment you share it directly. Our guide on how to send photos without sharing your location covers exactly this gap.
The second is the inconsistency of platform processing across surfaces. Facebook's main feed re-encodes aggressively, but the platform is a sprawling target—timeline posts, Stories, Marketplace listings, group uploads, Messenger sends, and "send as file" options all behave differently. The processing applied to each is not identical, and it shifts over time as the apps update. A path that strips metadata today may behave differently after the next release, which is precisely why security professionals refuse to treat any single observed behavior as a permanent guarantee. Marketplace photos are a particularly common trap: people list furniture or a car shot inside their home and never consider that the original file documented exactly where they live.
The third is the simple fact that you are trusting a third party with a safety-critical task. If your physical safety depends on a location not leaking—if you are escaping an abusive situation, reporting sensitive events, or simply value not broadcasting your home address—then "the platform usually strips it" is not a standard worth betting on. The only version of the file you fully control is the one on your own device, and the only stripping you can verify is the stripping you do yourself before the photo ever touches the upload box.
Facebook keeps your untouched original on its servers and can attach its own identifiers to what it serves back. Photo by Sora Shimazaki on Pexels.
Why You Shouldn't Rely on the Platform
It is worth stating the principle plainly, because it applies well beyond Facebook. Relying on a platform to remove your metadata means handing control of your privacy to a company whose priorities are storage cost and engagement, not your safety. The stripping is a byproduct of how Facebook serves images efficiently. It can be reduced, reversed, or made inconsistent across features whenever a product decision calls for it—and Facebook's habit of injecting its own identifiers shows the company is perfectly willing to write into your files when it serves the company's interests.
The durable solution is to make clean files your default. Turn off location tagging in your phone's camera settings so new photos are never geotagged to begin with. Strip the metadata from anything sensitive before it leaves your device, whether you are posting publicly, listing on Marketplace, or sending a file to a friend. And verify, rather than assume—open a photo in a metadata viewer and confirm the GPS field is empty before you share it. The same discipline that protects you on Facebook protects you everywhere else, including the platforms that strip nothing at all. If you are new to this, our walkthrough on how to strip EXIF data from a photo and our explainer on the hidden metadata your iPhone embeds in every shot are the best places to start.
The Bottom Line
So, what metadata does Facebook keep when you upload a photo? On the public copy, very little of your camera metadata survives—the GPS, serial numbers, and timestamps are stripped during re-encoding. But Facebook keeps your original file on its servers, keeps every check-in and location tag you choose to add, and adds its own tracking identifiers to the images it serves. The platform's stripping is real but incidental, partial, and outside your control. Treat it as a convenient side effect, never as a privacy guarantee, and do the one thing that actually keeps you safe: clean your photos yourself, on your own device, before they ever reach the upload box.