While the data might not immediately identify you, it could theoretically be used to recognize someone through roundabout means, such as the apps they have installed or whether they travel with the same person.

The concern isn't just that apps are oversharing data, but that they may be violating the EU's GDPR privacy rules by both collecting info without consent and potentially identifying users. You can't lay the blame solely at the feet of Facebook or developers, though. Facebook's relevant developer kit didn't provide the option to ask for permission until after GDPR took effect. The social network did develop a fix, but it's not clear that it works or that developers are implementing it properly. Numerous apps were still using older versions of the developer kit, according to the study. Skyscanner noted that it was "not aware" it was sending data without permission.

Facebook was sympathetic to Privacy International's concerns in a response, stating that it was crucial for people to both know when an app send data and to "have control" over whether or not that data is linked to them. Future changes like Clear History will also help, Facebook said. The company also stressed to the Financial Times that developers could turn off automatic data gathering and could delay sending app analytics. Still, it's evident that app creators either aren't paying attention to these changes or bothering to adopt them -- they may need a nudge if they're going to avoid controversies and EU fines.