Facebook ordered to keep apps separate unless users opt in to sharing

A few weeks ago, the New York Times reported that Facebook CEO Mark Zuckerberg is planning to interconnect all of the company’s chat apps – Messenger, WhatsApp and Instagram – in spite of having promised to retain the independence of WhatsApp and Instagram when it bought them.

According to the NYT’s sources – four company insiders – the goal is to keep people’s attention focused on Facebook. The more time they spend on the platform, the better for its advertising revenue, the sources said.

Oh? Well, how about “Absolutely not,” Germany’s competition regulator suggested this week.

On Thursday, the Bundeskartellamt (FCO) issued an order saying that Facebook can keep collecting data from its apps, but it can’t combine that data with a user’s main Facebook account unless the member gives their “voluntary consent.”

The order comes following a probe, begun in March 2016, into how Facebook collects and combines data from all of its apps.

So much for Facebook’s dream of creating a multi-tentacled chat blob to advertise at. From the ruling:

Where consent is not given, the data must remain with the respective service and cannot be processed in combination with Facebook data.

As well, Germany has ruled that Facebook’s going to have to get consent before it’s allowed to collect data from third-party websites or to assign that data to a Facebook user’s account.

Andreas Mundt, President of the Bundeskartellamt:

Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts. The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power. In future, consumers can prevent Facebook from unrestrictedly collecting and using their data.

Without user consent, Facebook won’t be allowed to merge data from its different sources, he said.

Mundt said that an “obligatory tick on the box” doesn’t cut it when we’re talking about agreeing to Facebook’s “intensive data processing.” Given that Facebook is the 500-lb. gorilla of social networks, users don’t have much choice but to go along with its terms of use, meaning that they haven’t really had what one might call “voluntary consent.”


The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent.

Tripping up tracking

Besides how this ruling might affect what are reportedly Zuckerberg’s plans to commingle user data from its apps, it could also affect how Facebook tracks both users and non-users alike across websites and apps.

One of the ways it does so is with the Like and Share buttons on external sites. Those buttons enable Facebook to track visitors’ IP addresses, what web browser (and version) they’re using, and other things that can help to identify who they are – even if they don’t actually click on the buttons. Facebook also collects device-identifying information via the Facebook Login, which lets users avoid having to type in a unique username and password for each service.

Facebook also has multiple tools to let advertisers target users and non-users when they’re not on its platform: Audience Network, for one, lets advertisers create ads on Facebook that show up elsewhere in cyberspace.

Advertisers can also target non-users with a tiny but powerful snippet of code known as the Facebook Pixel: a web targeting system embedded on many third-party sites. Facebook has lauded it as a clever way to serve targeted ads to people, including non-members, and uses the code to let third-party sites track whether the ads they run on Facebook succeed in converting visitors into buyers.

The ‘what, who, huh?!’ of the ads you see

In other, related news, Facebook users are going to see more information when they click “why am I seeing this?” – a question that can be accessed by clicking the top-right drop-down of any Facebook ad.

Up until now, users have been shown what brand paid for the ad, some biographical details they targeted and if your contact information had been uploaded. But starting on 27 February, Facebook’s going to also show:

  • when your contact info was uploaded,
  • if it was the brand that uploaded it or one of its agency/developer partners, and
  • when access to your information was shared between partners those partners.

It’s part of Facebook’s attempts to introduce more transparency into its ads business – efforts it started following criticism over its ads being used to tinker in the 2016 US presidential election. For example, over the past year, Facebook – along with Twitter and Google – have all been working on boosting transparency around who buys electoral and political issue-based ads.

Before that, in February 2018, Facebook said it was going to verify election ad buyers by snail mail. As well, Facebook last year began attaching “paid for by” labels on political and issue ads on Facebook and Instagram in the US and launched an archive to look it all up.

Facebook must be a bit weary of making privacy splashes: at any rate, rather than publishing a post about the “why am I seeing this” changes on its newsroom feed, it announced it on the Facebook Advertiser Hub page.

At any rate, back to the FCO ruling:

Facebook: Popular ≠ dominant

Facebook has a month in which it can appeal the ruling, and appeal it shall. In a blog post posted on Wednesday, Facebook said that the FCO has got it all wrong on three counts.

First, Facebook said, the FCO is underestimating the “fierce competition” the company faces in Germany. We’re really not all that popular in Germany, it said:

The Bundeskartellamt found in its own survey that over 40% of social media users in Germany don’t even use Facebook. We face fierce competition in Germany, yet the Bundeskartellamt finds it irrelevant that our apps compete directly with YouTube, Snapchat, Twitter and others.

Facebook says that the regulator also “misinterprets” its compliance with the EU General Protection Data Regulation (GDPR), by overlooking how Facebook actually processes data and what steps it’s taken to be compliant with the GDPR. At any rate, this should all be left up to the Irish Data Protection Commission, it said – the authorities who “have the expertise” to rule on these things.

In fact, Facebook says, the ruling “undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU.”

Facebook defended the way it ties information together, pointing to positive outcomes such as “identifying abusive behavior and disabling accounts tied to terrorism, child exploitation and election interference across both Facebook and Instagram.”