Many of the advertising companies hand-picked by Facebook to provide in-app advertising “operate without regard to the most basic privacy norms,” according to an analysis by PrivacyChoice, a nonprofit that supports online privacy.
Apps must gain permission from users to grab data, such as birthdays or social contacts, from their profiles. Advertising companies may see that data but have not obtained the user’s permission to do so. Facebook handles this problem by requiring the advertising companies it white lists to agree not to use the data other than to target ads within the given app.
But the companies don’t have track records for respecting users privacy, according to the PrivacyChoice analysis.
For example, just 16 percent of the companies have a deletion policy to address data for which they don’t have consent. Just 13 and 19 percent, respectively, belong to the fair-advertising industry initiatives Network Advertising Initiative and Digital Advertising Alliance. Just 1 percent honor consumers’ Do-Not-Track preferences.
Facebook tells app makers that it is up to them “to ensure compliance with Facebook’s Advertising Guidelines.”
PrivacyChoice isn’t alleging any actual breaches in privacy. Rather, it’s pointing to a plausible scenario through which even conscientious Facebook users could inadvertently allow their data to leak beyond the Facebook ecosystem.