Privacy

Blocking advertising cookies only makes Facebook stronger

Vader and Obi Wan in a lightsaber duel. Vader is Facebook, and Obi Wan is the EU.

From a certain point of view, Facebook’s solution to having all their advertising cookies blocked is quite elegant. Some would say it’s pure evil. More on the specifics later, but first, some background.

Remember when Apple and Facebook had a bit of a tiff after Apple decided to block third-party tracking cookies in Safari and in iOS 14+?

Well, next year Google will be doing the same, by default, in Chrome. Chrome does of course already have an option to block third-party cookies, but I bet you haven’t switched it on.

By cutting down Facebook’s access to cookie data across the web, their advertising becomes less effective. No longer can they rely on automatic shared data from websites sent via cookies. Instead, they now ‘guesstimate’ retargeting audiences, using a range of anonymized data that groups people with similar interests. They then allow their customers to show ads to these audiences.

The downside, for Facebook, is that they no longer have access to data from specific users either on iOS devices or on browsers where third-party cookies are blocked. This means the retargeting becomes less effective (unless the iOS user has specifically opted into getting personalized ads – which is now off by default since iOS 14).

Facebook wasn’t very happy when Apple did this, even taking out full-page adverts in national newspapers and writing a blog post asking small business owners to speak up against Apple.

“Apple controls an entire ecosystem from device to app store and apps, and uses this power to harm developers and consumers, as well as large platforms like Facebook.”

I mean, there is some level of irony here given that Facebook’s tracking pixel is on most of the websites you visit.

I don’t want to be tracked, so blocking Facebook’s advertising is a good thing, right?

In principle, yes. It won’t be possible to individually target you if you’re using iOS or have third-party cookies blocked elsewhere.

You’ll still get targeted ads, but these might be less effective. Business owners won’t get as much data in their Facebook ads account, as it will use Aggregated Event Measurement (in the case of app install campaigns) to essentially guess what’s happening.

The privacy-conscious among you might welcome this turn of events because now the problem is solved, right? Well, actually, no it’s not.

Things just got a lot worse.

Facebook counters with the Conversions API

When Facebook lost a lot of tracking data through cookies, it came up with a way to still get your customer data to build audiences from. If you’ve spent any time in the Facebook Ads platform recently, you might have come across the Conversions API

If you haven’t heard of it, brace yourself.

In the EU, the GDPR law prevents personal data from being transferred without consent, to either the website owner or third parties connected to the website or any technology a business uses.

This is why cookie popup banners exist. We have an extensive post telling you all about how the ‘cookie law’ works.

In a nutshell, if you set a cookie on your website without permission, in the EU, you broke the law. 

You also need to list all the places you send personally identifiable information (PID) in your cookie and privacy policies.

In practical terms, the GDPR/cookie law is actually very enforceable right now, because you can easily scan a website and find out what cookies it uses and, just as importantly, when they were set.

Now, the Conversions API bypasses the need for third-party cookies entirely and collects far more PID than cookies ever could. And Facebook encourages you to use it.

How does Facebook’s Conversions API collect more PID than cookies?

When you fill in a form on a website or buy something through a checkout, you’re giving your data over to the website owner. That’s fair because without it the website couldn’t process your transaction or inquiry, submit your comment, or whatever.

Third parties don’t get access to this personal information (I’m talking about names, email addresses, form values, etc.). It’s not transferred in cookies.

What Facebook is doing is encouraging business owners to give them this data at the point of transaction, so they can use it to match to a Facebook user.

Their dashboard lists what they consider to be “best practices”, with suggestions as to what data you should collect:

  • Phone number
  • Email address
  • IP address
Facebook checklist showing that their best practice is to select a number of pieces of personally identifiable information, found within the Facebook Ads dashboard.

Yes, you heard that correctly. They’re advocating that the “best practice” when using the Conversion API is to transfer your customer’s email address, IP address, and mobile phone number, at a minimum.

Many more options are available in the API, including gender, country, date of birth, and postcode/ZIP.

They say “Customer information is used to match your events to Facebook account ID so you can use them to attribute your ad performance and show ads to people who are most likely to convert.”

Here’s a link to Facebook’s help article listing the customer information parameters that Facebook accepts.

Facebook's customer information parameters, showing checkboxes for personal information including names, phone numbers, dates of birth, and many more

The best thing about this from Facebook’s point of view, of course, is that the business owner is entirely responsible for where and to whom this data is sent.

The Conversions API page, and elsewhere in the Facebook dashboard, states (emphasis mine):

“Note: Ensure that you have obtained the proper lawful permissions and any necessary consent before you share any information with a third party. We provide general information and links to helpful industry resources in our Consent guide, but ultimately you’ll need to work with your own legal counsel to develop your data sharing compliance plan.”

Thereby absolving themselves from any legal liability for receiving the data you give them. That’s right, the business owner is the one getting sued if they don’t include all this information, along with purposes for its use, in their privacy policy.

The worst part about this from a GDPR enforcement perspective is that all this information transfer is “dark”. Cookies can be detected easily, but this transfer of PID is done on the company server.

Only with access to that server code can anyone see what’s actually going on. The data itself is invisible.

So, even though this behavior is subject to GDPR and other privacy laws around the planet, nobody can know unless the web owner tells you. This means the law will be much harder to enforce.

Secondly, and this is even more concerning to privacy advocates, is that there’s no way to block it. No Adblock, no cookie blocking, nothing.

As a consumer, you should assume that Facebook is getting your data whether you’re on iOS or whether you blocked cookies in your favorite browser, as soon as you buy something from an online store that also has a Facebook ad account.

In fact, you’re MORE dependent now on the company being nice and NOT sending all your data.

It gets worse. Businesses can connect their CRM to Facebook and it can receive all the data in all of your form submissions, without even implementing any code.

Oh, and that’s enabled by default.

A clever design

The clever bit is that the design of this ‘solution’ to cookie blocking will ever so subtly influence the business owner to enable all the options.

Which website owners, especially in eCommerce, wouldn’t want to send all this information across especially given that without proper tracking Facebook ads have reduced ROAS by up to 30%.

Remember the wording in the Facebook ad account from earlier?

“Best practices – Selecting the right parameters can help improve your event match quality score and event deduplication, which can lead to better ad performance,” and “make sure you’ve configured the best parameter setup.”

Everything is written to encourage you to hand over as much information as possible.

So, what do we think about all this?

Making the web a better place is in our DNA. But what Facebook is doing here is making it much, much worse, especially in terms of privacy.

You have to hand it to them for coming up with a solution that:

  • Enables them to solve the problem of blocked cookies for advertising effectiveness
  • Allows them to collect even more data than before
  • Removes all liability under GDPR and places it on the website owner

Morally, though, we’d have to disagree with this approach. Internet privacy is a fundamental right, and changes like this threaten it.

The truth is, nobody reads privacy policies, and probably the average consumer doesn’t even care. They’re sharing all their data with Facebook directly anyway, so what’s the big problem?

The problem is that, for the consumer, there is no choice. No way to block or opt out of this behavior, and no way to know it’s happening (without reading through the privacy policy of every website and assuming that businesses disclose all this information transfer as they should do).

We’re taking a stand.

A couple of months ago I removed Facebook and Twitter’s tracking pixels from the Silktide website, along with others.

Our long-term goal is to remove all third-party tracking from Silktide.com in the EU, including Google Analytics.

The result of this is that finally, we’ll be able to get rid of our cookie banner – the bane of the existence of everyone who’s ever visited a website.

Given that I’m a marketing professional, you’re probably asking yourself “Why is the head of marketing at a global tech company removing their web analytics,” and the answer is simple.

We’ve built our own cookie-free analytics solution that’s privacy-focused and works effectively without tracking or storing individual user data.

A problem with most analytics providers, like Google, is that for them to work a cookie must be set. I mentioned before that under GDPR, a business is not allowed to set any cookies until the visitor explicitly clicks “I Accept” in the cookie banner.

This means that anyone who doesn’t accept cookies simply won’t be tracked in your analytics, because Google cannot know about them unless that cookie is accepted.

Silktide Analytics is entirely GDPR compliant and suits organizations in any regulated industry that must adhere to local cookie and privacy laws. Because of that, it can give you analytics data for every visitor, as there’s no need to opt in to cookies (there are none).

Who knows, it might even be the beginning of the end of the cookie banner.

Footnote: Hey fellow Star Wars fans! Yes, we know, this headline isn’t quite canon. But would you rather have Facebook portrayed by Obi-Wan?

Join our accessibility newsletter

Get the latest accessibility news, tips, tricks, and info, straight into your inbox. We send at least once per month.

Back to top