Facebook violates EU law by tracking users for targeted advertising, a European privacy panel said Tuesday.
The report was commissioned by the Belgian Privacy Commission, which sits under the EU’s European Commission, and is an updated version of an initial draft that surfaced in February. A key development of the update claims that Facebook cookies the browsers of any person that visits its site, including those without Facebook accounts and those who have specifically opted out of tracking in the EU.
The report was co-authored by the Centre of Interdisciplinary Law and ICT and the Computer Security and Industrial Cryptography department at the University of Leuven in Brussels, and the media, information and telecommunication department at Vrije Universiteit in Brussels.
While Facebook responded to an initial draft of the report in February by stating to The Guardian that it’s “confident [Facebook’s revised terms] comply with applicable laws,” it attacked the latest findings.
“This report contains factual inaccuracies,” Facebook said in a statement emailed to AdExchanger. “The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public.
“We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us. However, we remain willing to engage with them and hope they will be prepared to update their work in due course.”
The report concedes that although Facebook shares high-level information about tracking practices with its users, its tracking capabilities have increased and that the collection and application of that tracking data violates an EU privacy doctrine that requires informed user consent before companies store or collect information about an individual’s device.
“Facebook’s tracking capabilities have expanded mainly through the spread of social-plugins (like buttons) and through new forms of mobile tracking,” the report claims.
According to the researchers, these plugins sit on more than 13 million sites and detect an Internet browser’s cookies, sending that tracking data back to Facebook – even if the user is not registered with Facebook and didn’t click “Like.”
The report also argues Facebook’s opt-out option is ambiguous and unclear.
“[Facebook] does not walk users through the settings for vis-à-vis advertising or access by third-party application providers,” the authors wrote, adding that this approach “does not meet the requirements for legally valid consent.”
EU consumer privacy concerns tend to be more stringent than those in the US. While most privacy advocates tend to sic their watchdogs on Google, Facebook has largely gone unnoticed – until now.
This latest report could signal that Facebook is no longer invisible and that it’s worth wondering if a trickle-down effect is in play.
One theory is that regulators will continue to crack down on the largest firms before the long arm of EU law reaches smaller companies.