Facebook-Datalogix deal may skirt privacy promises

IDG News Service - Two privacy watchdogs filed a joint letter with the Federal Trade Commission on Thursday alleging Facebook may already be skirting an agreement to be more clear over how it handles user data.

A partnership with a data collector called Datalogix may violate parts of a recent FTC consent order that outlined privacy principles Facebook should follow, wrote the Center for Digital Democracy (CDD) and the Electronic Privacy Information Center (EPIC).

"Facebook did not attempt to notify users of its decision to disclose user information to Datalogix," according to the letter.

Datalogix collects data on what people buy through loyalty card programs administered by retailers. Those loyalty card users are matched to their Facebook profiles in order to serve them targeted ads based on users' buying behavior. Facebook and Datalogix maintain the matching is done after the data is anonymized on both sides.

Facebook users are automatically enrolled in the program. But the process for opting out of it is neither clear nor easy.

Deep in its "Help Center," Facebook discloses its partnership with Datalogix. In the letter to the FTC, the CDD and EPIC noted it takes five separate actions to reach Facebook's mention of Datalogix.

On that page, Facebook does not give further information describing its link to loyalty-card programs and what people buy. The FTC's agreement with Facebook, finalized in August, forbids misrepresentations by omissions, the groups wrote.

"Thus, the Commission should determine whether Facebook's failure to notify users of the disclosure of user information to Datalogix violates the consent order," the letter said.

Within the Help Center where it mentions Datalogix, it's not possible to opt-out from Facebook's data exchange with the company. Instead, there's a link to Datalogix's privacy policy. Under the heading "Choice," Datalogix offers a special cookie, or a small data file often used in online advertising systems to collect data on users such as what websites they've browsed.

The cookie is an opt-out cookie, which will tells Datalogix not to collect and store data from the person's web browser for tracking purposes.

Tests show that Facebook, however, does not install any Datalogix cookies on a person's browser when a person visits the social-networking site. It means that the installation of Datalogix's opt-out cookie would not stop the exchange of data between Facebook and the company.

The key is the last line in the paragraph under "Choice." It has a hyperlink, "click here," that unfurls a form that will allow a person to "opt out of all Datalogix-enabled advertising and analytic products."

Ironically, opting out of Datalogix's program with Facebook involves disclosing personal data to Datalogix, including a person's name, email address and physical address. The form must be completed by every member of a household, Datalogix advises. An opt-out request will be honored within 30 days.

Facebook confirmed on Thursday that the submission will stop the data sharing: "When you opt out of Datalogix analytics research, the data provided by retailers to Datalogix is not included in the aggregate measurement reports that are generated for our advertisers."

The digital rights group Electronic Frontier Foundation advised on its blog that if people are uncomfortable with this kind of data sharing, they best not sign up to loyalty card programs in the first place.

"Many people who sign up for loyalty programs may not realize the data amassed on them will be shared with entities outside of the store," the organization wrote.

Send news tips and comments to jeremy_kirk@idg.com