Facebook’s Retail Data Mining Already Being Questioned by Privacy Groups

That was fast. Just a few days after multiple outlets reported on a new way Facebook is providing better analytics on ad campaigns to marketers, two electronic privacy groups have asked the Federal Tr...
Facebook’s Retail Data Mining Already Being Questioned by Privacy Groups
Written by Josh Wolford
  • That was fast. Just a few days after multiple outlets reported on a new way Facebook is providing better analytics on ad campaigns to marketers, two electronic privacy groups have asked the Federal Trade Commission to look into whether or not the practice violates recent concessions made by the company in an FTC privacy settlement.

    We recently learned that Facebook is tracking what you buy in order to help marketers determine if their advertising campaigns on the site are paying off. Facebook is working with a data mining company called Datalogix to see if users served certain ads on-site are ending up buying said products and services later on down the road.

    Datalogix compiles a giant database of consumer purchasing data, including email addresses and other user information. They do this primarily by tracking what consumers buy on retailer rewards cards. When that data is paired with Facebook data concerning user IDs and ad impressions, marketers can see a clear picture of whether an impression directly resulted in a purchase.

    Although the procedure seems rather surreptitious at first, all of the user information is kept anonymous and is simply used for analytic purposes, according to Facebook.

    “Facebook doesn’t get data that retailers give Datalogix; retailers don’t get any data from Facebook; nor do advertisers share any of their data with Facebook or vice versa,” says Facebook. What Facebook does share is “anonymous IDs corresponding to consumers exposed to a given ad campaign.”

    Facebook certainly isn’t hiding this, as they have an entire section devoted to it in their Help Center.

    But according to the Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD), the data mining venture may constitute a breach of terms laid out by a previous FTC settlement.

    That FTC settlement barred Facebook from misrepresenting “in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information,” as well as ““the extent to which [Facebook] makes or has made covered information accessible to third parties.”

    It also requires that Facebook “prior to any sharing of a user’s nonpublic user information by [Facebook] with any third party, which materially exceeds the restrictions imposed by a user’s privacy setting(s),” Facebook must make a “clear and prominent” disclosure and obtain the “affirmative express consent” of the user.

    Basically, if Facebook wants to share user information in a way above and beyond their privacy settings, Facebook has to make it abundantly clear their intention to do so.

    The two privacy groups have this to say to the FTC in a letter:

    The Commission should investigate whether Facebook has violated Parts I and II of the Consent Order. Facebook did not attempt to notify users of its decision to disclose user information to Datalogix. Neither Facebook’s Data Use Policy nor its Statement of Rights and Responsibilities adequately explains the specific types of information Facebook discloses, the manner in which the disclosure occurs, or the identities of the third parties receiving the information. In fact, Facebook only mentions Datalogix once – at the bottom of the “Interacting with Ads” page. This page requires at least five actions to reach from the Facebook.com home page and simply directs users to the Datalogix privacy policy. The Consent Order’s prohibition on misrepresentations includes misrepresentations by omission. Thus, the Commission should determine whether Facebook’s failure to notify users of the disclosure of user information to Datalogix violates the consent order.

    They also question Facebook’s assertion that it is all anonymous, saying:

    Facebook asserts that the shared information is hashed, and thus anonymous. But the Commission has stated that “hashing is vastly overrated as an ‘anonymization’ technique.”

    These two privacy groups have a history of demanded FTC actions on Facebook services. EPIC has already asked the FTC to look into Facebook’s Timeline feature and well as it’s facial recognition software.

    What do you think? Is it a violation of the previous FTC agreement?

    [via NextGov]

    Get the WebProNews newsletter delivered to your inbox

    Get the free daily newsletter read by decision makers

    Subscribe
    Advertise with Us

    Ready to get started?

    Get our media kit