Facebook and Datalogix
- Consumer Groups Ask FTC to Investigate Facebook-Datalogix Data-Matching Arrangement: EPIC, joined by the Center for Digital Democracy, has asked the Federal Trade Commission to investigate whether Facebook's data-matching arrangement with Datalogix violates a settlement between the FTC and Facebook. Facebook is matching the personal information of users with personal information held by Datalogix. The settlement, adopted in August, prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. EPIC had previously asked the FTC to determine whether "Timeline," which made archived user data widely available, or biometric tagging of user photos violated the terms of the consent order. The FTC has not made a determination on the EPIC Timeline request, and Facebook has suspended facial recognition in the US. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Datalogix. (Sep. 27, 2012)
In response to pressure from advertisers who wanted Facebook to provide concrete data about the effectiveness of their advertising campaigns, Facebook partnered with Datalogix, an analytics firm. Datalogix determines the success of Facebook advertising campaigns by collecting information about the users who click on ad banners and comparing that information with those users’ real-world purchases.
Datalogix collects the real-world data by forming partnerships with stores who offer membership or loyalty cards that store digital information. Then Datalogix keeps track of the users who buy a product at an offline retailer after being shown a banner ad on Facebook. Datalogix can perform this matching by comparing the identifying data that a user provides in order to set up Facebook and store membership accounts. For example, if a user provides the same email address to set up her Facebook account and her drug store rewards card, Datalogix can use this common identifier to determine whether she bought the drug store product whose ad banner she clicked on while she was surfing Facebook.
Datalogix already has agreements with companies that record consumer data. For example, many companies who have a membership or loyalty card program are able to maintain records not only of the shopper’s identifying information - for instance, the name and email address that the shopper used in order to register for the loyalty card - but also of the shopper’s purchases while using that card. If Jane Doe has a discount card at Grocery Store X, and if she scans that card when she makes her purchases, then Grocery Store X is able to provide Datalogix with her name, registration information, and all purchases she has made since signing up for the loyalty card. By partnering with Facebook, Datalogix can add Facebook user information to its data pool and therefore to make determinations about user purchasing patterns. In order to determine whether a particular marketing campaign on Facebook is effectively inducing users to buy the product in stores, Datalogix will identify a marketing campaign, and separate Facebook users into groups according to their exposure to that set of ads. It will then record users’ interactions with the ads - for example, of the users who were exposed to an ad campaign, how many clicked on the ad. Then it will compare the information that the user provided in order to create the Facebook account - for example, the user’s name and email address - and compare that with the information already stored about the user in its data pool. For example, if Jane Doe used the same email address to register her Grocery Store X loyalty card and her Facebook account, Datalogix will can compare data about the ads that Jane clicks on with data about the products Jane buys at Grocery Store X to determine whether the online ads prompted Jane to buy the product offline.
All Facebook users are automatically included in the data-collection program, and they cannot opt out on the Facebook website. Instead, they must follow a link in Facebook’s “Help” section that leads them to Datalogix’s site. They can opt out of collection in a subcategory called “Choice,” under a tab called “Privacy.”
Datalogix has stated that it anonymizes user information and aggregates data about particular ad campaigns before it provides Facebook with any analytics. However, even with these anonymization features in place, Facebook may be violating an FTC consent order that it signed in August of 2012. The consent order contains provisions for securing the privacy of user data, among which is a provision requiring Facebook to give users clear notice of its intent to share user data with third parties.
In December 2009, EPIC along with a group of public interest organizations filed an FTC Complaint. The complaint highlighted changes in Facebook's policies and practices that threatened user privacy. As a result of the EPIC's FTC Complaint, the FTC brought its own complaint against Facebook—charging that Facebook deceived consumers by failing to keep privacy promises. The FTC settled the complaint with Facebook and issued an order detailing the results of that settlement.
The Order requires Facebook to have an independent privacy audit every two years for the next 20 years. The Order also prohibits Facebook from misrepresenting its privacy and security practices, as well as its compliance with any privacy program. The Order also requires:
- Facebook to give its users a clear and prominent notice and obtain their affirmative express consent before sharing their information;
- Facebook to remove user information within thirty days after a user deletes an account;
- Facebook to establish a comprehensive privacy program
Facebook, in a help article on its site, says that Datalogix and other service providers like it "produce aggregate[d] and anonymous measurement reports to advertisers." The help article goes on to state that "[n]o personally identifiable or individual data is shared with advertisers as part of the measurement process."
There are concerns about the data collection between Facebook and Datalogix. In addition to the potential violation of the consent order Facebook signed with the FTC in August 2012, there is nowhere on Facebook's website to opt-out. Instead, users have to go to the Datalogix website -- a company whom most of them have never heard of — and opt-out of their tracking. Facebook claims the partnership does not violate Federal Trade Commission regulations because it has a link to that option on its site in the help center.
EPIC, joined by the Center for Digital Democracy, wrote to the FTC asking for a determination of whether such data-matching partnerships violate the Consent Order. EPIC said that Facebook had omitted nearly all information about the partnership with Datalogix, and noted that the prohibition on "sharing" was not well-defined. Finally, EPIC explained that Datalogix's method of opting out was confusing and ineffective.
- EPIC's Letter to NAI (2000)
- Facebook: Data Use Policy
- EPIC: Facebook Privacy
- EPIC: Federal Trade Commission
- The Hill: Privacy groups call for FTC probe into Facebook's new ad-tracking partnership (Sept. 27, 2012)
- MediaPost: Advocates Seek FTC Probe Of Facebook-Datalogix Deal (Sept. 27, 2012)
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a by-monthly newsletter highlighting emerging privacy issues.