Almost two dozen popular Android apps automatically send user data to Facebook as soon as they are opened in a potential breach of data protection laws, a new report by Privacy International has revealed.
An analysis of 34 Android apps showed 61 per cent of apps automatically transfer data to Facebook, even if the user is not logged in or does not have a Facebook account.
The data transferred includes the user’s unique Google advertising ID and information about which apps the user has opened. Privacy International said that when combined the data could paint a “fine-grained and intimate picture” of the user's activities, interests and behaviour.
The report singled out travel booking app Kayak, which it said sent detailed information about flight searches to Facebook, including departure and arrival details and number of tickets. It also criticised Trip Advisor for its transferral of user data.
Privacy International said the findings raise a number of legal questions. Under EU data protection laws, known as GDPR, companies are required to gain explicit consent from users before using their personal data.
The report called on Facebook to provide a clearer explanation of how it uses data and to make it easier for people to exercise their data rights, even if they do not have a Facebook account.
“Facebook’s SDK [software development kit] tool means that developers can choose to collect app events automatically, to not collect them at all, or to delay collecting them until consent is obtained, depending on their particular circumstances,” a spokesperson for Facebook said.
“We also require developers to ensure they have an appropriate legal basis to collect and process users' information. Finally, we provide guidance to developers on how to comply with our requirements in this regard.”
The findings come after Facebook was rocked by controversy last year surrounding its use of user data.
The social network has been fined £500,000 by the Information Commissioner’s Office (ICO) and faces a lawsuit in the US after Cambridge Analytica breached privacy laws by harvesting the data of up to 87m Facebook users.
The report also called on Google to block third-party tracking on its Android devices.
“The behaviour described is not Android behaviour, is not specific to Android, and it does not occur as a result of any aspect of Android’s design,” Google said in a response to the report.
“The same behaviour will be observed in other operating systems because it is the by-product of Facebook’s arrangements with the third-party apps that implement Facebook’s SDK.”
A spokesperson for Trip Advisor said: “The technical issues raised by Privacy International are extremely complex, and we respectfully consider the statements they have made to be somewhat oversimplified.
“We are currently in the process of investigating the remarks published regarding our use of the Facebook SDK. We will make a determination about any actions or clarifications once the investigation is complete.”
Kayak has been contacted for comment.