Has anything changed for private individuals since GDPR came into force in May?
This is a two-part blog about an experiment we undertook to find companies held our data, and then to exercise our rights, under GDPR, to request that data.
Lifting the lid on Facebook Ads
Following the Facebook/ Cambridge Analytica data theft which we blogged about in March, we decided to use the facility to download our Facebook accounts. We wanted to find out what they were storing about us, and which third parties also held our data.
The option to download your Facebook profile is (currently) in Account settings under Your Facebook Information.
This exercise was in itself fascinating and scary in equal measures. In addition to personal details, contacts, photos, messages and pokes (remember those?) the download includes a section called Ads. This is where Facebook gets creepy.
I had been involuntarily assigned to over 100 Ad topics by Facebook, presumably based on everything it knows about me and so advertisers can target me more effectively. A lot of the terms are vague, innocuous or obvious:
- Web design
Some are weird and completely off-target:
- Ice hockey
- Plant morphology
- Association football (Soccer)
Others crossover into more disturbing territory:
- White (Color)
- Political parties - Mat's included a number which he has no affiliation with: Christian Social People's Party, European People's Party, Republican Party (United States)
You can ask to be removed from any of these Ad topics, but obviously, you need to find out how Facebook has you pigeon-holed before you can do that.
Personal interest aside, our Ad topic profiles were so poor that they would be of extremely limited value to advertisers. The correct matches are no-brainers; the incorrect matches range from off to way-way-off.
There's an online tool from Cambridge University (not to be confused with Cambridge Analytica) called Apply Magic Sauce which tries to predict "your psycho-demographic profile from digital footprints of your behaviour". Some people report that this pegs them down to a tee, while others say the description is unrecognisable.
It looks like that automatic profiling (at least what is being published publicly) is a very blunt, unreliable tool at the moment which might not be great for advertisers, but perhaps if you are targetting millions it's enough to get your message across.
The personal data octopus
The next section of interest in our Facebook downloads was 'Advertisers with your contact info'. This was another "wait.. what?" moment. My Advertisers were:
- Bed Bath & Beyond
- Airbnb and Airbnb （エアビーアンドビー）
- Deliveroo and 戶戶送 deliveroo
- Demi Lovato
- PediaSure US
- Kate Hudson
- Ahalogy Partners
- Just Eat UK
I had heard of some of these, but many I had no clue about. The other part of the Ads section is an Ad history of ads I had clicked (deliberately or accidentally). None of the Advertisers with my data were listed in ads I had clicked, so my question became not just what are you storing, but why do you have it in the first place.
The Facebook download only provides these Advertiser names, no links or contact details, so I googled them and sent a standard email:
According to the information I have downloaded from my Facebook account, your company has my contact info as a result of previous adverts you ran in Facebook.
As an EU citizen with rights under GDPR I would like to know:
- what information you store about me
- why you are storing or processing it
- how long you will be storing it
Thank you in advance for your co-operation.
The response was mixed to say the least. I'll let you know how I got on in Part 2.