On Monday we reported on Facebook's new plan to help advertisers judge the effectiveness of their ads by cross-referencing them with customers' offline retail purchases. The social networking giant established a partnership with Datalogix, a company that manages loyalty programs for a number of retail stores. Facebook hopes the partnership will allow it to supply its advertisers with fine-grained data on the effectiveness of their ad campaigns.

Two privacy groups, the Electronic Privacy Information Center and the Center for Digital Democracy, have asked the Federal Trade Commission to investigate the arrangement. They claim that Facebook has failed to provide its users with proper notice as required by last year's settlement of an FTC privacy investigation.

"Facebook did not attempt to notify users of its decision to disclose user information to Datalogix," the groups charge in their letter. "Neither Facebook’s Data Use Policy nor its Statement of Rights and Responsibilities adequately explains the specific types of information Facebook discloses, the manner in which the disclosure occurs, or the identities of the third parties receiving the information."

Indeed, the groups note, Facebook's only disclosure of its relationship to Datalogix is buried at the bottom of the "Interacting with Ads" page on the site. "This page requires at least five actions to reach from the Facebook.com home page and simply directs users to the Datalogix privacy policy," the groups write. That, they say, does not comply with Facebook's obligation under the settlement terms to proactively disclose when and how user data will be disclosed to third parties.

The groups are unimpressed with Facebook's argument that the sharing is kosher because user information is anonymized before it is shared with Datalogix. They note that the FTC itself has written that "hashing is vastly overrated as an ‘anonymization’ technique." The groups argue that the FTC needs to supervise the use of anonymization techniques to ensure they are done correctly.

Finally, EPIC and CDD charge that "the method offered by Facebook and Datalogix for consumers to opt out of the data-sharing," involving the placement of an opt-out cookie, is "confusing and ineffective."

"We are confident that we are compliance with our legal obligations," Facebook told Ars in an emailed statement on Thursday. "We know that people share a lot of information on Facebook, and we have taken great care to make sure that we measure the effectiveness of Facebook ads without compromising the commitments we have made on privacy. We don’t sell people’s personal information, and individual user data is not shared between Facebook, Datalogix or advertisers."