Contracts are a pretty gray area. In a lot of contexts, a handshake agreement or email exchange, if documented well enough, can constitute a binding, legally enforceable contract. It doesn't have to be on a paper saying OFFICIAL CONTRACT with signatures at the bottom.

Perhaps that is so in the US; I don't know.

In Europe, however, privacy policies play a significant legal role in terms of complying with privacy and data protection legislation.

Facebook has its international HQ in Europe and deals with personal data about EU citizens, and is thus subject to EU rules as well as US ones.

Why aren't they contracts? When I sign up for a website, I have to enter into a contract for their Terms & Conditions, which usually includes the Privacy Policy.