A worrying number of popular Android apps share user data with Facebook without user consent, new research from Privacy International shows (via Financial Times).

Here's the worst part: Staying off Facebook doesn't protect you from this.

Privacy International, a London-based charity that focuses on improving people's personal privacy, examined 34 popular Android apps, each installed from 10 to 500 million times, between August and December 2018.

All of these apps share data with Facebook through its SDK (software development kit), which is fine if the users have in some way consented to this. But the organization intercepted data as it was sent (using a freely available, open-source tool) and found that at least 20 of these apps (roughly 61 percent) "automatically transfer data to Facebook the moment a user opens the app."

This happens even if the user is logged out of Facebook or doesn't even have a Facebook account, researchers claim.

The data shared sounds pretty innocuous by itself: typically, the apps communicate to Facebook that a user has started using the app by sending a signal that Facebook's SDK has been initialized. But Privacy International's research shows that apps that automatically share this data do it together with a unique identifier called the Google advertising ID.

"If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion," Privacy International claims.

Some apps go even further, sending data to Facebook that Privacy International describes as "incredibly detailed and sometimes sensitive." One example is travel search app Kayak, which sends Facebook detailed information about users' flight searches, including data like departure/arrival date, city and airport as well as number and class of tickets.

Furthermore, Privacy International's research showed that the data sharing described above happens even for users who don't have a Facebook account, and have opted out of receiving Facebook cookies (as explained in Facebook's Cookies Policy).

Facebook's SDK rules place responsibility for making sure they have the right to collect and share user data. And on May 25, 2018, when the EU General Data Protection Regulation (GDPR) entered into force, these rules became much stricter in the European Union. But the developers were initially unable to stop their apps from sharing the "SDK initialized" data with Facebook, simply because the option wasn't there.

In a response to Privacy International, Facebook acknowledged that developers didn't have the option to disable transmission of the "SDK initialized" data before June. "Following the June change to our SDK, we also removed the signal that the SDK was initialized for developers that disabled automatic event logging,” Facebook told Privacy International in an email. Facebook also said it is working on a "suite of changes" that should address Privacy International's privacy-related concerns.