You’re Being Followed

Does Facebook know more about you than your best friends do?

Five Figures to Consider

52,000 unique attributes Facebook uses to classify users
5% growth in the number of Facebook users in U.S., Canada and Europe in 2017
46% increase in ad revenue in U.S., Canada and Europe in 2017
4 ways Facebook gathers data on you when you are not logged into Facebook
2018 is the year Europe enacts privacy and data protections we do not have in U.S.

Over Thanksgiving and winter school breaks of 2015, applicants to the Berklee College of Music who hadn’t yet finished their applications started seeing reminder ads from Berklee in their Facebook news feeds. At the same time, Facebook users with degrees in music therapy were being shown ads from Berklee’s graduate programs, and Facebook users whose profiles were lookalikes for the previous year’s summer school students were seeing Berklee summer school ads. For Berklee, the campaigns represented money well spent. The school had a 40% increase in applications to its Music Therapy graduate program and a 10% rise in paid summer school registrations.

Welcome to the world of personalized advertising. If it feels like online advertisers know you better than your best friends do, you’re probably right. According to a 2016 ProPublica investigation, Facebook uses more than 52,000 unique attributes such as “big city moms,” “away from hometown” and fan of “breastfeeding in public” to classify users. These attributes combined with information Facebook obtains from partners and data brokers are used to create 29,000 categories of users for Facebook ad buyers to target. In the Berklee example above, ads targeted a list of applicants with unfinished Berklee applications, a purchased list of people with music therapy degrees and Facebook “lookalikes” based on last year’s summer school population.

Even when you don’t see Facebook, Facebook sees you. In his testimony before the U.S. Congress last week, Mark Zuckerberg dodged the question when Senator Kamala Harris asked him if Facebook follows users when they are not logged into the Facebook application. This week Facebook answered the question. Yes, we do. In at least four ways. Through the Facebook plugin services that other websites and apps use, such as “like” and “share” buttons, through Facebook login services apps use, through Facebook analytics websites use to measure customer data and through Facebook brokered ads that websites contract to run on their own sites. Through these business tools, Facebook collects information from its partners about your device, websites you visit, purchases you make, ads you see and how you use Facebook partners’ services, even if you don’t have a Facebook account!

All that data adds up to big bucks as it enables Facebook to pinpoint markets advertisers want to reach on Facebook and off. Ad revenue, not user growth, is the engine of Facebook’s earnings. Consider that the number of Facebook users in the U.S., Canada and Europe – where Facebook earns 74% of its revenue –  grew just 5% in 2017. In contrast, advertising revenue in those regions soared 46% to $29 billion. Facebook’s worldwide advertising revenue, which comprises 98% of its overall revenue, was $40 billion in 2017. According to Statista, Facebook controls 20% of the global online advertising market (second to Google.) The company’s 57% operating profit margin is four times that of the S & P 500 average.

Since the congressional hearings sparked by the Cambridge Analytica and Russian election interference scandals, Facebook has rushed to get ahead of threatened regulation by promising improvements in privacy protections and transparency, including eventually bringing to the United States the same changes that are being required by the European Union’s General Data Protection Regulation (GDPR), which goes into effect next month. GDPR will restrict the personal data that companies can collect and store, further protect the personal data of children, require consent agreements to be in plain language as opposed to “legalese” and institute a “right to be forgotten,” that is to have one’s data deleted. The regulation also sets fines and penalties for data misuse and data breaches.

The U.S. deserves its own version of the GDPR. Today institutions that lose customers’ data rarely pay financial penalties for the security failure. Only in certain states and under certain conditions can regulators penalize companies for losing personal data. The FTC may be able to collect a fine from Facebook on the Cambridge Analytica breach, but only because the breach may have violated a previous 2011 settlement between the FTC and Facebook. The MY DATA Act of 2017 introduced into the House and Senate this past December aims to empower the FTC to promulgate and enforce new data protection regulations. Meanwhile, the Center for Digital Democracy and other consumer privacy groups are urging Facebook to adopt GDPR as a global standard.

Whether or not Facebook classifies you as someone who might be interested in a graduate music therapy degree, someone with very liberal politics or a stay-at-home father may or may not creep you out. Some of the applicants to Berklee College of Music may have been grateful for the application reminders. Others might have felt it was an invasion of their privacy.  If you are curious about how Facebook classifies you, check out the Ads page under your Facebook settings. There you can find the advertisers who have uploaded your contact information to Facebook and are targeting you with the assistance of Facebook’s ability to match your contact information, your Facebook profile, your Instagram account (Facebook owns Instagram) and your IP address. You can also see the interests and categories Facebook applies to you. Don’t like how you are profiled? You can delete the categories you don’t like. At least in the Facebook app. Of course, as soon as you delete them, the profiling will begin again.

Facebook has too much data on its 2.1 billion users to continue to be allowed to regulate itself. The FTC should pursue a substantial fine for the Facebook Cambridge Analytica breach. We should adopt GDPR-like privacy regulations and institute financial penalties for future data breaches. In the meantime, be your own data scrubber. Visit Facebook and clean up your profile.


Center for Digital Democracy,, CSI Market,, Facebook, Lawfare, ProPublica, Statista