Facebook: Yep, we might have tracked users across the internet using the 'Like' button

But it was a mistake and we didn't mean to...

Social networking giant Facebook has admitted that its "Like" button planted cookies on users PCs that could track users and non-users alike across the internet.

It follows a report by Belgium's data protection authority, which accused Facebook of multiple violations of the EU e-Privacy Directive, of stalking people geographically via its smartphone apps, and of failing to both properly inform users of its data-collection activities, as well as acknowledging their rights as "data subjects".

"Facebook combines data from an increasingly wide variety of sources (for example, Instagram, Whatsapp and data brokers). By combining information from these sources, Facebook gains a deeper and more detailed profile of its users. Facebook only offers an opt-out system for its users in relation to profiling for third-party advertising purposes. The current practice does not meet the requirements for legally valid consent," concluded the report.

These data brokers include Acxiom, BlueKai, Datalogix and Epsilon, who keep large and growing databases about individuals, including both online activity and offline sources. In addition, the report claims that Facebook uses "pixel tags" and device identifiers to keep tabs on users' web browsing outside of the Facebook environment.

It also collects location data "from a variety of sources" and uses its mobile apps on multiple platforms to track people via their smartphones. The only way to stop that data collection mechanism is to turn-off the location setting in the smartphone's operating system. With smartphones typically coming with Facebook's mobile app pre-loaded, many users may not realise that they are effectively being stalked by Facebook via their phone.

However, Facebook has finally provided a detailed rebuttal against the claims by Belgium's data protection authority. It admitted that the tracking cookie, called "datr", was used to track both Facebook users and non-users alike, but claimed that this was a bug, and not intentional.

"We don't [use "social plugins" to add cookies to the browsers of non-users], and this is not our practice. However, the researchers did find a bug that may have sent cookies to some people when they weren't on Facebook. This was not our intention - a fix for this is already under way," claimed Facebook's vice president of policy for Europe Richard Allan in a blog-post rebuttal.

He added: "Our practice is not to place cookies on the browsers of people who have visited sites with social plugins but who have never visited Facebook.com to sign up for an account. The authors identified a few instances when cookies may have been placed, and we began to address those inadvertent cases as soon as they were brought to our attention."

Allan also rejected claims that Facebook is unclear about the extent of data sharing that it engages in, and that its policies potentially contravene EU data protection laws.

However, Belgium's data protection authorities are adamant that Facebook needs to do more.

"Facebook should offer granular in-app settings for sharing of location data, with all parameters turned off by default. This should allow users to determine when, how and what (location) data can be used by Facebook and to what purpose. Additionally, Facebook should provide more detailed information about how, when and why exactly location data is collected. Finally, location data should only be collected to the extent and for the duration necessary for the provision of a service requested by the user," the report concluded.