The report was ordered by the Belgian Privacy Commission, with research conducted at the University of Leuven and the Vrije Universiteit Brussel, after the commission determined that Facebook’s privacy policies, which were updated in January, violated European customer privacy laws.
It says that Facebook’s revised data use policy has enabled the social media giant “to create a vast advertising network which uses data from inside and outside Facebook to target both users and non-users of Facebook.”
Facebook can track users who have an account, says the report, with multiple cookies that identify them. Even non-users are tracked, with a cookie called “datr,” which has an expiration date of two years.
The tracking cookie can be placed on a user’s computer when he or she visits a website that includes a Facebook plug-in, not just Facebook.com itself, regardless of whether you clicked “like” or “share” on the social media toolbar.
“This means that Facebook tracks its users across websites even if they do not make use of social plug-ins, and even if they are not logged in,” and that “tracking is not limited to Facebook users,” says the report.
Services in Europe, Canada and the United States offer the ability to remove websites’ ability to track your computer’s online activity for advertising purposes – also called “online behavioural advertising.” However, according to the report, opting out of this practice in Europe through the European Digital Advertising Alliance doesn’t stop Facebook from tracking you with the aforementioned cookies. What’s more, non-Facebook users who opt out with this practice actually enable cookie tracking if they were not previously being tracked.
When the same test was applied to the opt-out functions provided by the Digital Advertising Alliance in Canada (DAAC) and the U.S., it was found that no long-term cookies were deployed, but could not determine why the North American cases were treated differently from Europe’s.
The DAAC deals specifically with tracking cookies and other methods of online behavioural advertising. The Belgian study noted that the “datr” cookie “is used for security, among other purposes,” though the other purposes are not made entirely clear by Facebook.
A Facebook spokesperson told the Guardian that the Belgian report “contains factual inaccuracies,” though did not offer specifics, adding that its authors did not contact Facebook, “nor sought to clarify any assumptions upon which their report is based.”?
“Facebook is subject to and complies with EU data protection law,” the company said in a statement on its website on Thursday. “We’re confident we are operating within the law and the EU Data Protection Directive, but even moreso we believe we offer people best-in-class transparency and tools to control their experience and the advertising they see.”
Regarding the latter, the report claimed the exact opposite, saying that users have little control over what information Facebook can track and what it can’t, burying the options in obscure menus and technical, or overly vague, language.
“Users are even more disempowered because they are unaware about how exactly their data is used for advertising purposes,” the report says.