Zak Doffman, Forbes:

Despite me telling my iPhone “never” to allow Facebook access to my location, despite me checking Facebook online to confirm it knows “location history for mobile devices” is set to “off.” Facebook continues to exploit a loophole, harvesting photo location tags and IP addresses, all of which it will, in its own words, “collect and process.”

Loophole?

I took a photo with my iPhone and then uploaded that to my Facebook account. I used Facebook’s app on my iPhone, the same app that has been told “never” to access my location, the same account that knows I have this switched off. But Facebook still collects the location tag from that photo, along with my IP address.

And:

Facebook and Instagram do in fact strip the metadata, the so-called EXIF information, from photos that are saved to their platforms. You can see this, because if you save a photo from Instagram or your Facebook albums onto your phone, there will be no location information. That has been replaced with Facebook’s own codes.

And so, you might assume that Facebook has deleted this data. Wrong. If you go to your Facebook privacy settings and select “your Facebook information,” you can download a copy of the data it holds. If you select “photos and videos,” you will see the data that Facebook saved from the images you uploaded.

This is heinous. Read the whole piece. There’s a lot more detail here, but in a nutshell, the loophole is Facebook’s access to your photo EXIF data.