Facebook is still tracking the apps that users open, even if they don’t have a Facebook account. This affects at least 61% of test applications, which may be illegal under the new GDPR law. Despite strict scrutiny and new privacy laws, a new study shows that many of the most popular Android apps are still sending user data to Facebook. This data is sent regardless of whether the user is logged in or even has a Facebook account. Data is sent immediately when the application is opened and the user can choose to opt out or enable privacy settings.
Privacy International conducted the study and found that at least 61% of the applications they tested sent this data to Facebook. The data contains details about how the application was opened when it was opened, how it was opened, and when it was used. The unique Google Advertising ID (AAID) is sent with the data, Facebook can analyze the user even if the user does not have a Facebook account. A full list is available here.
While user-open application data may seem harmless, Facebook can combine it with data collected in other ways to create very detailed personal ad profiles. The problem is not in the application itself, but in Facebook’s Android SDK, which developers use to build applications.
On June 28th, Facebook claimed that they updated their Android SDK to add a delay to this event record, which will only send data after the user agrees. But many of the most popular apps use older versions of the SDK, without this privacy feature. This update does not even disable the problematic SDK initialization message and the application is still sending data.
Privacy International is unable to determine how Facebook uses this data because they are not very transparent about these issues. In any case, Facebook still has a lot of explanation work to do.