Why it matters: Facebook is still tracking what apps a user opens even if they don't have a Facebook account. This affects at least 61% of apps tested and is likely illegal under new GDPR laws.

Despite heavy scrutiny and new privacy laws, a new study reveals that many of the most popular Android apps are still sending user data to Facebook. This data is sent regardless of whether or not a user is logged in or even has a Facebook account. The data is sent immediately when the app is opened and before the user has the option to opt out or enable privacy settings.

Privacy International conducted the study and found that at least 61% of apps they tested send this data to Facebook. The data in question contains details about what app was opened, when it was opened, who opened it, and how long they used the app. Since the unique Google Advertising ID (AAID) is sent with the data, Facebook can profile users even if they don't have a Facebook account.

For example, if someone opened the "Indeed" app, they are likely looking for a job. If someone opened the "Qibla Connect" app, they are likely Muslim. Other apps tested include Duolingo, Kayak, Shazam, Spotify, TripAdvisor, Yelp, and more. The full list is available here.

Facebook's Cookies Policy lists two methods that non-Facebook users can use to opt-out, but Privacy International determined they don't actually change what data is sent to Facebook.

While data on what apps are opened by a user may seem innocuous, Facebook can then combine it with data collected through other means to create a very detailed personal advertising profile. The issue is not with the apps themselves, but with Facebook's Android SDK which is used by the developers to make the apps.

On June 28, Facebook claimed that they updated their Android SDK to add a delay to this event logging which would only send data once users had consented. However, this update came well after GDPR laws took effect and only works on certain versions of the SDK. Many of the most popular apps are using older versions of the SDK which do not have this privacy feature. The update also does not even disable the SDK initialization message in question and the apps are still sending data.

Privacy International was not able to determine for sure how Facebook uses this data since they aren't very transparent with these matters. Regardless, Facebook still has a lot of explaining to do.

Second image courtesy AngieYeoh via Shutterstock