Privacy groups call for action to stop Facebook's off site user tracking plans

Authorities should act immediately to stop this new vast expansion of Facebook's data collection and user profiling, privacy groups said

U.S. and EU privacy and consumer groups called on privacy regulators to stop Facebook's plans to gather the Internet browsing patterns of its users while they visit other sites.

The groups, gathered in the Transatlantic Consumer Dialogue (TACD) asked the U.S. Federal Trade Commission (FTC) and the Irish Data Protection Commissioner (DPC) to stop Facebook collecting the web browsing activities of Internet users in order to target advertising. They made the request in a letter sent to the authorities on Tuesday. Facebook's European headquarters is in Ireland, giving the Irish data protection commissioner responsibility for defending its European users' personal data and privacy rights under EU law.

The privacy groups expressed "deep alarm" about Facebook's June announcement that it would start tracking information from some of the websites and apps its users are visiting in order to serve more relevant ads.

At the time, Facebook said: "When we ask people about our ads, one of the top things they tell us is that they want to see ads that are more relevant to their interests," the company said at the time, adding that in the U.S. it would "soon" start tracking users' off-site surfing behavior. Anyone who doesn't want to be tracked can opt out via the Digital Advertising Alliance website.

But on Tuesday the groups said: "Facebook already installs cookies and pixel tags on users' computers to track browsing activity on and Facebook apps. If Facebook is permitted to expand its data collection practices, those cookies and pixel tags will also track users' browsing activity on any website that includes a few lines of Facebook code."

Authorities should "act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current U.S. and EU law," the groups said, asking the authorities to make any findings public so they can be reviewed.

In the past, Facebook has stated it does not track users across the web and said no information received when users see a Facebook social plugin on a third party website is used to target ads, the groups said. However, Facebook's proposed data collection expansion directly contradicts its previous statements, they said.

Facebook's proposed use of pixel tags to track users is almost identical to its 2007 Beacon program. Within that advertising program, 1x1 pixel GIF tags were used to track users' browsing history on non-Facebook websites and to transmit that information to Facebook's own servers, they said.

That program was abandoned by Facebook after users protested and filed a class-action lawsuit in the U.S. for privacy violations. In the wake of the uproar, Facebook apologized and admitted the program had been a mistake.

The groups also called on the FTC to examine whether Facebook's change in business practices violates a 2012 consent order between it and the FTC in a case involving the company's repeated sharing of information its users had asked to keep private. In that order Facebook agreed not to misrepresent the extent to which it maintains the privacy or security of covered information, while this change is misleading users, the groups said.

Moreover, the groups say, when users must go to a separate website in order to opt out of the new program, they have not given their "affirmative express consent" -- something required by the FTC's consent order. Opting out involves downloading an opt-out cookie to override the Facebook collection cookie, which has the effect of punishing the users who are most diligent about their privacy because the minute users clear their cookies, they also delete the opt-out preference, the groups said.

They also asked the Irish DPC how this "new vast expansion of the social network's data collection and user profiling" could have been allowed to go forward in the light of the DPC's investigation of Facebook's privacy practices. After that investigation, which led to the DPC recommending further actions, Facebook made a series of commitments to improve its privacy practices in the EU.

"We respectfully call on you to take the appropriate action, order Facebook to reverse its new data collection practice, and develop public accountability mechanisms for the company to ensure it is complying with required privacy practices," the groups said.

Facebook did not immediately respond to a request for comment.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Federal Trade CommissionsecurityFacebookprivacy

More about DialogueEUFacebookFederal Trade CommissionFTCIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts