/ Health, Technology

Has Facebook tracked the websites you’ve looked at?

Facebook 'Like' button

Did you know that by signing up to Facebook, you’re allowing it to track your browsing habits across the web, and giving it consent to collect what’s arguably personal and sensitive data? I didn’t.

Apparently though, you are. The reasoning goes something like this: by signing up to Facebook and accepting its privacy policy you’re giving it your consent to track your browsing on partner websites.

The problem is that we don’t think agreeing to a lengthy privacy policy is providing “explicit” consent for the collection of what may well be personal sensitive information. Unless you’ve been specifically asked whether you’re happy for your browsing habits to be tracked, we don’t think you’ve given any such consent.

And explicit consent is important here because, without it, no company can process (or use) an individual’s personal sensitive data without being in breach of the Data Protection Act (DPA).

Facebook’s privacy policy

I’ve read and re-read the paragraphs in Facebook’s privacy policy that are meant to say I’ve consented to the company collecting personal data on the websites I visit (you can too under the section ‘Information We Receive‘) but I can’t see any such mention. Plus, a privacy policy couldn’t really constitute explicit consent even if it wanted to.

Which brings me to my point. Last week a story broke about the health website NHS Choices letting Facebook track the browsing behaviour of its users, along with their Facebook IDs, via its ‘Like’ button embedded on some webpages. And according to Garlik, the firm that made the discovery, Facebook users are tracked even if these buttons aren’t actually clicked.

Now, why the NHS would allow a third party website to track its visitors in this way is beyond me. But the real point here is that these webpages contain health and lifestyle advice that could be personal to the browsing individual. Do you want Facebook to know that you’ve looked at a page about a particular disease or condition?

Has your online privacy been breached?

And now we come back to the Data Protection Act. Here at Which? we think that Facebook could be in breach of the DPA if it’s proved that sensitive and personal data has actually been collected without explicit consent. Plus, surely NHS Choices has a duty to prevent sensitive user data from being collected in this manner?

Both Facebook and NHS Choices, of course, deny that any breaches have taken place. So it’s now up to the Information Commissioners Office to investigate. South Korea’s Communications regulator has already taken action, accusing Facebook of violating the country’s data privacy laws and arguing that it needs to do a better job at getting user consent.

I think that Britain’s regulator should also take a good look at Facebook’s privacy policies. Does the company actually ask for explicit consent to track and gather information on what sites we look at? And if you knew that it did, would you still want to keep your Facebook account?

Sophie Gilbert says:
10 December 2010

And another reason not to be on Facebook. This is shocking. I regularly find new reasons to be delighted I deleted my account a wee while ago, and I doubt now that I will ever regret doing so.

Good post.

I think a lot of people make the mistake that Facebook is some altruistic free service. It isn’t. It makes millions from trading in our personal information. That’s its business model. It’s an information broker between us and the advertising industry. Like any business Facebook needs to continually increase its revenue and grow,,quickest way to do that is by further harvesting its only resource – us!

SeRiouS says:
10 December 2010

I must draw to your attention that it’s not just the like button, but also the FB.share feature that allows Facebook to track your every move…

It is thus with a tinge of sadness that I note the irony that you have such a share button on this page, hosted on the Facebook platform, which essentially means Facebook knows I’ve visited your blog. Checking the time logs, they can probably tell I’ve left this comment too.

We foresaw this very comment SeRiouS. However, what is viewed on Which? Conversation is arguably not personal and sensitive data, whereas the pages you look at on the NHS arguably are. Also, we would hope that there will be some action taken over Facebook tracking what pages you are viewing without you actually deciding to press the embedded buttons (if that is indeed what it is doing). Watch this space.

Chris says:
14 December 2010

Look, wake up & smell the coffee guys. Its a trade: you give up some of your privacy in return for something they have available. theyre monetising it using marketing ads. Is that really so terrible ? And i guess those that dont use facebook swap back to the phone or email? and thats completely secure, right ?

“theyre monetising it using marketing ads. ”

Actually, they’re monetising it by selling any information you have shared with them…

This comment was removed at the request of the user

Thanks Duncan – that’s interesting.

Whilst many Android users won’t be bothered by this – or will already be Facebook users, other folk may wonder what they can about this.

In the USA, Purism are working to produce an open source phone designed to respect users’ privacy.


But they won’t be inexpensive, at least not to start with.

Although any sort of mobile phone works to a greater or lesser extent as a personal locator beacon, I guess that using an Android maxed out with apps is probably the worst end of that spectrum.

Personally, I do use a cheap Android smartphone for calls, texts, email and web browsing – but not much else. I do also have a Facebook account, but I’m disinclined to use it from my phone (I prefer to only access it from my social media laptop).

For me the convenience of being able to receive my emails wherever I am and being able to web browse from anywhere seems worth it. I can’t see that I’m suffering any actual harm from the “data slurping” that my internet usage must be causing. (These days, even the use of snail mail can contribute to one’s digital footprint, because many organisations will put scanned records of paper correspondence onto either public or private (but potentially hackable) cloud servers.)