A newly released study of 34 prominent Android apps found that roughly 68 percent of them share user data with Facebook even when the device operator isn't actively logged into the social media service or, for that matter, never created a Facebook account.
In such instances, the apps typically communicate to the social media giant when they are opened, closed and actively used, the report indicates. They also relay the user's device information and general location, all via the Facebook SDK (software development kit).
Moreover, 61 percent of the 34 apps begin automatically transmitting this data immediately, from the very moment the app is opened.
Conducted by UK-based watchdog group Privacy International, the study specifically looks at a subset of apps that were previously identified as as likely to transmit data to Facebook. These apps feature install bases of 10 to 500 million users, and in many cases handle potentially sensitive information.
Such data sharing practices could raise privacy concerns, especially when there is no explicit user consent, and particularly with strict GDPR regulations now in effect, the report explains. As it stands, Facebook is already under intense scrutiny following the Cambridge Analytica scandal in addition to numerous other data sharing and breach controversies that damaged the company's reputation.
The apps that were found to immediately begin transmitting data to Facebook include such notables as Duolingo, Kayak, Shazam, Spotify Music, TripAdvisor and Yelp. A full list is available here.
In its report, Privacy International notes that apps will transmit data to Facebook along with the Google advertising ID (AAID), a unique identifier designed to help advertisers create profiles of users from their activity across multiple apps, and even multiple devices. "If combined, event data such as 'App installed', 'SDK Initialized' and 'Deactivate app' from different apps also offer a detailed insight into the app usage behavior of hundreds of millions of people," the report states.
"Facebook's SDK tool means that developers can choose to collect app events automatically, to not collect them at all, or to delay collecting them until consent is obtained, depending on their particular circumstances," a Facebook spokesperson told SC Media in response to the Privacy International report. "We also require developers to ensure they have an appropriate legal basis to collect and process users' information. Finally, we provide guidance to developers on how to comply with our requirements in this regard."
"Facebook's collection of information is clearly explained in our Data Policy and Cookies Policy," the statement continues. "We ensure that these policies are accessible from each page on Facebook, and that users can access and read these policies when they sign up to Facebook or during updates to these policies."