Facebook is in hot water with the French data protection authority CNIL for tracking the browsing history of Internet users who do not have Facebook accounts. Also at question is the transfer to the U.S. of personal data on users. Facebook has been given three months to comply with CNIL demands or face sanctions.
A CNIL notice reads: “Indeed, the company does not inform Internet users that it sets a cookie on their terminal when they visit a Facebook public page (e.g. page of a public event or of a friend). This cookie transmits to Facebook information relating to third-party websites offering Facebook plug-ins (e.g. Like button) that are visited by Internet users.”
CNIL also notes that the social media site collects user data such as political and religious views as well as sexual orientation, “without the explicit consent of account holders.” The Facebook sign-up form also does not inform users how their personal data will be used. CNIL said that compiling this data does not meet the primary purpose of the contract Internet users enter into when they enroll in the website.
CNIL noted that users are not offered any tools that would prevent Facebook from compiling information to be used in targeted advertising. Facebook is also accused of continuing to use a Safe Harbor data transfer mechanism that is no longer legal, having been invalidated last October by the European Court of Justice. Facebook claims that it is not using Safe Harbor for data transfer.
Facebook has more than 30 million users in France. CNIL said that it has made public its formal notice against the social media giant due to “the seriousness of the violations and the number of individuals concerned by the Facebook service.”
Facebook claims that it uses this data to help determine whether visits to its website are legitimate or not, and that it identifies browsers, and not individuals. However, that still allows the company to know a substantial amount of information on the last 10 days of browsing history of non-account holders that may have dropped into Facebook only once.
A statement by a Facebook spokesperson said “We are confident that we comply with European Data Protection law and look forward to engaging with the CNIL to respond to their concerns.”