What do Led Zeppelin, Cisco and Dr Oetker have in common? Facebook says they share our data with them

A PI investigation into advertisers we had never heard of who upload our personal data on Facebook to target us.

Key findings

Back in October 2019, PI started investigating advertisers who uploaded personal data to Facebook for targeted advertising purposes. We decided to take a look at "Advertisers Who Uploaded a Contact List With Your Information", a set of information that Facebook provides to users about advertisers who upload files containing their personal data (including unique identifier such as phone numbers, emails etc...). Looking at the limited and often inaccurate information provided by Facebook through its "Download your Information" tool, it became quickly obvious that something was wrong.
Of all the PI staff who took these steps, everybody found at least a few brands (or advertisers) that they had never heard of. If we've never heard of them, how could these companies possibly have personal data about us? This question took us on a long and torturous Odyssey paved with Data Subject Access Requests and requiring a lot of patience.
But to cut a long story short: there are three major problems with what we found.

1/ How our data is used for advertising by brands, third parties and Facebook raises data protection issues

It's a pretty obvious point but discovering unknown brands in this list is a pretty unpleasant experience. It highlights not only how little users can understand about what's happening behind the scene, when it comes to online targeted advertising, but also exposes data protection issues. Again and again, there was no transparency or clear legal justification as to the apparent uploading and use of this data. And that's just the start.
The reasons for this can be many: Maybe the company never cleaned its customer list; Maybe it was bought and merged its client list with another; Maybe it went through a marketing agency who offered to combine huge lists of potential clients on their behalf; Maybe the company doesn't even know. But whatever the reason is, the result is problematic and raises questions under data protection law.

2/ Users are not properly informed about how they are targeted

We've talked about this before and even asked Facebook to take action: as a Facebook user, you should be able to understand who targets you and how you are targeted on Facebook. When using Facebook, you can click the "Why am I seeing this ad" when you encounter an ad, but the amount of information is usually insufficient.

Screenshot of a popup to explain why you are seeing this ad. Before January 2020 on the left and after January 2020 on the right. Some improvement but still a long way to go

Facebook's "Download your information" theoretically provides more information allowing you to understand how you are being targeted (the description reads "Ad topics that are relevant to you, advertisers who have collected information directly from you, information you've submitted to advertisers and your interactions with businesses and organisations you visit off of Facebook"). But the reality is different. As we demonstrated, the information Facebook gives you about advertisers is often inaccurate. The list of advertisers who have uploaded your personal data changes from one month to the other, with some of them simply disappearing, which means the list is not as extensive or complete as Facebook wants us to believe.

Read "No, Facebook is not telling you everything"

Similarly, the latest Off-Facebook features offers little insight into how users are tracked and finally targeted on Facebook. Facebook sometimes only tells you that there was a CUSTOM interaction with a given app or website, leaving users in the dark as to how, when and where this interaction happened, and how consent was obtained.

3/ Exercising our rights is difficult and Facebook isn't making it easier

While the transparency offered by Facebook in order to understand how we are being targeted is limited, the platform also doesn't offer much when it comes to allowing us to exercise our rights.

Facebook page showing users the advertisers that have uploaded their information them (after redesign, January 2020)

Our investigation demonstrated how difficult it is to contact an advertiser when the only information Facebook gives you is a link to their Facebook page. As a user, it should be easy to contact the company responsible for the advertising and question why they have data about us. But with the little information Facebook gives, your only options are to either contact the Facebook page (which requires you to use Facebook further) or search the name of the company to look for contact information (in which case you might end up contacting an affiliate or subsidiary completely unrelated to the advertising you saw).
This is not an acceptable situation for people to exercise their rights and seek information about companies using and seeking to profit from, their personal data.

Note: Facebook recently reworded this page to include more information about the advertisers and the conditions of use of the data they uploaded. This is a welcome improvement but there is still a lot to be done. Contact methods are still mostly limited to Facebook pages and there is no information regarding how the data was obtained in the first place

What you can do