A German data protection authority contends Facebook is tracking users even after they delete their accounts.
Hamburg’s Data Protection Authority (DPA) has published a report about how Facebook uses cookies, or small pieces of data stored in a person’s Web browser that record browsing behavior, said Johannes Caspar, head of the agency.
Caspar said if users do not give their consent, Facebook should delete information it has stored, in accordance with European privacy regulations.
The agency concluded that Facebook does not need to leave persistent cookies on a person’s computer, some of which remain for up to two years even if they delete their accounts, Caspar said. “Our investigation gave no reason for the setting of cookies,” he said.
Caspar said his agency is waiting for Facebook technicians to provide an explanation. Facebook said in a written statement it would have provided information about how it uses cookies prior to the report and that it was “surprised and disappointed.” Any publication by the DPA is incomplete until the agency has the full information about cookies, Facebook contended.
Facebook has faced scrutiny before over how it uses cookies. The company maintains that when a person logs out of their account, the cookies that remain do not contain account-related identifiers.
The cookies are used for security reasons, such as identifying spammers and ensuring minors don’t try to sign up to the service with a different age, the company said in a statement. It also uses cookies to identify computers used by more than one person to log into Facebook in order to discourage the use of the “keep me logged in” feature on those machines.
But cookies can easily be deleted in Web browsers. Firefox has a setting, for example, to delete cookies once the Web browser is closed, effectively foiling efforts to collect consistent information from a computer.
Other measures can also be used to foil data collection, such as the use VPNs (Virtual Private Networks), which can make a computer appear to have an IP (Internet protocol) address in, say, China, when the computer is actually in the U.K.
Hamburg’s DPA has another outstanding issue with Facebook. It is still awaiting a response from the company about its facial-recognition feature that automatically identifies a person’s friends and suggests their name. The agency believe that users should have to give their consent before Facebook’s systems store and study their faces to enable the feature. The company has until Monday to respond to that complaint.
If the discussions break down, the Hamburg DPA will pursue legal options, Caspar said. The agency has the power to levy fines.