Each Facebook User Is Monitored by Thousands of Companies
A Consumer Reports analysis looks at who is sending information about your online activity to Facebook
This article was copublished with The Markup, a nonprofit, investigative newsroom that challenges technology to serve the public good. Sign up for its newsletters here.
By now most internet users know their online activity is constantly tracked. No one should be shocked to see ads for items they previously searched for, or to be asked if their data can be shared with an unknown number of “partners.”
But what is the scale of this surveillance? Judging from data collected by Facebook and newly described in a unique study by Consumer Reports (PDF), it’s massive, and examining the data may leave you with more questions than answers.
Despite its limitations, the study offers a rare look, using data directly from Meta, on how personal information is collected and aggregated online.
Meta spokesperson Emil Vazquez defended the company’s practices. “We offer a number of transparency tools to help people understand the information that businesses choose to share with us, and manage how it’s used,” Vazquez wrote in an emailed statement to The Markup.
While Meta does provide transparency tools like the one that enabled the study, Consumer Reports identified problems with them, including that the identity of many data providers is unclear from the names disclosed to users and that companies that provide services to advertisers are often allowed to ignore opt-out requests.
One company appeared in 96 percent of participants’ data: LiveRamp, a data broker based in San Francisco. But the companies sharing your online activity to Facebook aren’t just little-known data brokers. Retailers like Home Depot, Macy’s, and Walmart, all were in the top 100 most frequently seen companies in the study. Credit reporting and consumer data companies such as Experian and TransUnion’s Neustar also made the list, as did Amazon, Etsy, and PayPal.
LiveRamp did not respond to a request for comment.
What Exactly Does This Data Contain?
The data examined by Consumer Reports in this study comes from two types of collection: events and custom audiences. Both categories include information about what people do outside of Meta’s platforms.
Custom audiences allow advertisers to upload customer lists to Meta, often including identifiers like email addresses and mobile advertising IDs. These customers, and so-called look-alike audiences made up of similar people, can then be targeted with ads on Meta’s platforms.
The other category of data collection, “events,” describes interactions that the user had with a brand, which can occur outside of Meta’s apps and in the real world. Events can include going to a page on a company’s website, leveling up in a game, going to a physical store, or purchasing a product. These signals originate from Meta software code included in many mobile apps, their tracking pixel, which is included on many websites, and from server-to-server tracking, where a company’s server passes data to a Meta server.
The Markup has written extensively about the Meta Pixel and how it has been used to surveil people as they dial suicide hotlines, buy their groceries, take the SAT, file their taxes, and book appointments with their doctors. Website owners can configure the pixel to track user website interactions such as searches or filling out a form, sending each action to Meta, even if the user doesn’t have an account on Facebook. Although research tools like The Markup’s Pixel Hunt can detect the Meta pixel or SDK tracking, there is no way for a consumer to monitor the traffic between a company’s server and Meta’s. This Consumer Reports study looks at server-to-server data along with the rest.
Try Permission Slip!
CR’s app can help you take back control of your online data.
How Can You See Your Data?
Facebook users can browse through the list of companies that have sent their data to Facebook by going to the Accounts Center and clicking on “Your information and permissions.”
From this menu, users can either download or access their information. To see the companies outside of Meta that have been sharing your information, select “Your activity off Meta technologies,” then “Recent activity.” You might be prompted to reenter your password at this point. This view will show you the number of recent connections between various third-party businesses you visited and Meta, and examples of the activity that was shared. You can choose to prevent future sharing by the company by selecting “Disconnect.” To see detailed information about these interactions, request a copy of your data.
But after jumping through the many hoops required to get your hands on this data, you may still be left with lingering questions. For example, in addition to easily recognizable company names more than 7,000 companies in Consumer Reports’ study were named using unreadable gibberish, or just numbers that don’t mean anything to most users. Even those companies with readable names often did not include links to the company website. Some company names were ambiguous, such as Viking, which could be a number of different businesses.
“This type of tracking which occurs entirely outside of the user’s view is just so far outside of what people expect when they use the internet,” Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, told The Markup in an interview. Fitzgerald said that while users are likely aware that Meta knows what they are doing while they are on Facebook and Instagram, “they don’t expect Meta to know what stores they walk into or what news articles they’re reading or every site they visit online.”
In the report, Consumer Reports calls for a number of policy proposals covering data collection practices, some of which could be part of a national digital privacy law, something that the organization has long advocated for. The recommendations specifically aimed at Meta’s technology and the advertisers who use it include:
• Requiring companies to adopt “data minimization” strategies, which call for the collection of the absolute minimum amount of data needed to provide the service being offered.
• Expanding the powers of “authorized agents” to act on behalf of consumers to act on their rights. Permission Slip is a mobile app by Consumer Reports that allows users to quickly opt out of and delete data from a long list of companies and data brokers on behalf of users; the app takes advantage of state privacy laws’ authorized agent provisions.
• Increasing ad transparency by creating ad archives that allow the public to see all ads that have been served to users on a platform, following the lead of the European Union’s Digital Services Act.
• Improving the quality and readability of the data that Meta makes available in its existing transparency tools, so that consumers can actually act on the information they review.
Fitzgerald echoed these recommendations, saying the problem lies with the fact that the burden is on the consumer to take action to prevent this data collection. Even a “global opt-out” mechanism allowing users to avoid having their data shared is not enough because “that still requires the user to take an action to protect their privacy. A lot of people are not going to have the time or knowledge to do that,” Fitzgerald said.
Vazquez, Meta’s spokesperson, said the company would “continue to invest in data minimization technologies to keep up with evolving expectations. As we cover in our terms, businesses are responsible for getting permission to share people’s information with companies like ours.”
For now, the lack of a federal privacy law leaves consumers in most states with few options. “I think people should be encouraging their elected officials to pass privacy laws that require businesses to change some of these business practices to stop this ubiquitous tracking of our every click and every movement,” Fitzgerald said.
Editor’s Note: Consumer Reports has a business relationship with LiveRamp and another data broker, Acxiom. Consumer Reports shares data with each of these companies in order to help support its mission.
