Facebook can track your online activity even if you don't have a Facebook account, and that may breach European privacy laws, according to a report by two Belgian universities.
'Facebook is subject to and complies with EU data protection law.' – Facebook statement
The report was ordered by the Belgian Privacy Commission, with research conducted at the University of Leuven and the Vrije Universiteit Brussel, after the commission determined that Facebook's privacy policies, which were updated in January, violated European customer privacy laws.
It says that Facebook's revised data use policy has enabled the social media giant "to create a vast advertising network which uses data from inside and outside Facebook to target both users and non-users of Facebook."
Facebook can track users who have an account, says the report, with multiple cookies that identify them. Even non-users are tracked, with a cookie called "datr," which has an expiration date of two years.
The tracking cookie can be placed on a user's computer when he or she visits a website that includes a Facebook plug-in, not just Facebook.com itself, regardless of whether you clicked "like" or "share" on the social media toolbar.
"This means that Facebook tracks its users across websites even if they do not make use of social plug-ins, and even if they are not logged in," and that "tracking is not limited to Facebook users," says the report.
Services in Europe, Canada and the United States offer the ability to remove websites' ability to track your computer's online activity for advertising purposes – also called "online behavioural advertising." However, according to the report, opting out of this practice in Europe through the European Digital Advertising Alliance doesn't stop Facebook from tracking you with the aforementioned cookies. What's more, non-Facebook users who opt out with this practice actually enable cookie tracking if they were not previously being tracked.
When the same test was applied to the opt-out functions provided by the Digital Advertising Alliance in Canada (DAAC) and the U.S., it was found that no long-term cookies were deployed, but could not determine why the North American cases were treated differently from Europe's.
Wally Hill, chairman of the DAAC, told CBC News he was unaware of the Belgian study, but said Facebook is a member in good standing with the advertising opt-out program.
"To date, there has been no indication, as far as I know, that there's any serious issue with Facebook, or indeed any of our other program participants," he said.
The DAAC deals specifically with tracking cookies and other methods of online behavioural advertising. The Belgian study noted that the "datr" cookie "is used for security, among other purposes," though the other purposes are not made entirely clear by Facebook.
Report 'inaccurate,' Facebook says
A Facebook spokesperson told the Guardian that the Belgian report "contains factual inaccuracies," though did not offer specifics, adding that its authors did not contact Facebook, "nor sought to clarify any assumptions upon which their report is based."
"Facebook is subject to and complies with EU data protection law," the company said in a statement on its website on Thursday. "We're confident we are operating within the law and the EU Data Protection Directive, but even moreso we believe we offer people best-in-class transparency and tools to control their experience and the advertising they see."
Regarding the latter, the report claimed the exact opposite, saying that users have little control over what information Facebook can track and what it can't, burying the options in obscure menus and technical, or overly vague, language.
"Users are even more disempowered because they are unaware about how exactly their data is used for advertising purposes," the report says.