clock menu more-arrow no yes mobile

Filed under:

This is how Facebook collects data on you even if you don’t have an account

There’s little you can do about it.

Facebook CEO Mark Zuckerberg and actor Andy Samberg pretending to be Mark Zuckerberg
Comedian Andy Samberg (R) pretends to be Facebook CEO Mark Zuckerberg.
Justin Sullivan / Getty

One of the more interesting takeaways to come out of Facebook CEO Mark Zuckerberg’s multi-day congressional testimony last week was confirmation that the social giant collects data from people online even if they don’t have a Facebook account.

Also interesting: There’s no way to avoid it.

It was a big enough admission that Facebook even wrote and published a blog post on Monday aiming to explain why it does this.

But the blog post didn’t include everything. It didn’t mention the term “shadow profiles,” for example, a phrase often used to describe the kind of faux profile that companies can have about people even if they haven’t signed up. It also didn’t mention how long this data is stored, or how Facebook collects data from non-users when their friends who do use Facebook upload their phone contacts.

We’ve asked a few follow-up questions. Here’s what you need to know, courtesy of the blog and a company spokesperson.

What does the term “shadow profile” mean?

This is how the internet describes Facebook’s data trove of information on people who aren’t actually users — the idea for the name being that Facebook has enough data from people to create a version of their profile even if they aren’t around to use it.

Facebook CEO Mark Zuckerberg claims he doesn’t know the term. And a Facebook spokesperson tells Recode, bluntly, “We don’t build shadow profiles of people.” The data is collected for other purposes, we’re told.

What data is being collected about non-users?

Facebook appears to collect data from non-users in two main ways: From their browsing history and from their friends.

The browsing history data collection is what Facebook’s recent blog post described. When people navigate around the internet, sites that use Facebook’s advertising pixel or other social APIs linking back to Facebook (like the “Like” button) send data about those site visits back to the social giant. Facebook collects that data on everyone who visits these sites, whether they’re a registered user or not.

If you’re not a Facebook user, though, the data is less valuable. That’s because Facebook doesn’t sell targeted ads based on that browsing history like it does if you’re a registered user. But Facebook can still use that information, which includes your IP address, to show you ads encouraging you to join Facebook. That means Facebook might not make money from your browsing history if you aren’t a user, but it might spend money trying to reach you with its own ads.

The other main way Facebook gets info from non-users is from its contact upload feature. When people sign up for Facebook, many of them choose to upload their contacts to the service so that they can find other people to connect with. It’s likely, though, that some contacts in their phone aren’t on Facebook — but they’re still giving this info over to the company. Depending on how detailed people are with their contacts, this data could include a lot more than just a phone number.

What does Facebook do with this data?

As mentioned in Facebook’s recent blog post, some of the browsing data is used for analytics — that means that web and app developers pay Facebook to tell them how many people visit their site, etc. The company also claims it’s used for security purposes, like identifying bots. Here’s how Facebook explained that in its blog post:

Receiving data about the sites a particular browser has visited can help us identify bad actors. If someone tries to log into your account using an IP address from a different country, we might ask some questions to verify it’s you. Or if a browser has visited hundreds of sites in the last five minutes, that’s a sign the device might be a bot.

The contact book info is more interesting. Facebook can use the contact info for people who don’t use Facebook to help link two people who do use Facebook. Here’s how Kashmir Hill described the value of these connections in a great piece for Gizmodo late last year:

With its vast, hidden black book, Facebook can go beyond simply matching you directly with someone else who has your contact information. The network can do contact chaining—if two different people both have an email address or phone number for you in their contact information, that indicates that they could possibly know each other, too. It doesn’t even have to be an address or phone number that you personally told Facebook about.

Again, Facebook claims it’s not creating shadow profiles. “We don’t use that [contact book] information to build profiles about people who aren’t on Facebook,” a spokesperson said via email. She added, though, that “when new people join, we try to use existing contact data to help the uploader and the new person connect.”

How long does Facebook save this data?

Facebook says it won’t hold onto this data forever, but that’s slightly misleading. Facebook keeps browsing data from its users for up to 90 days, but deletes that data for non-users after 10 days, according to a company spokesperson.

Company Correction: Facebook deletes browsing data for non-users after 10 days, but only if it’s collected through one of the company’s social plugins, like the “Like button. If it is collected via Facebook’s advertising pixel, the company stores it for up to 90 days, according to a spokesperson.

Here’s the catch, though: People don’t usually leave the internet for 10-day stretches. That means that while Facebook may delete browsing data of non-users, it’s also likely collecting it continuously. Even if they delete a user’s browsing data from 10 days ago, Facebook probably has more, similar data from nine days ago. And eight days ago. And seven ...

Here’s the other catch: When users share their contacts with Facebook, that data “doesn’t time out” unless it’s manually deleted by the person who uploaded it, a spokesperson confirmed. Facebook’s website refers to contact uploads as happening “continuously,” so in all likelihood, the data of non-users never fully disappears from Facebook servers.

Is there any way to stop Facebook from collecting my data if I don’t have an account?

No. There is no way to opt out of this kind of data collection. You can avoid the internet (!), but even then, friends or family who share their contact list with Facebook may be giving the company your data.

How do I find out if I am sharing my contacts with Facebook?

Here’s a step-by-step guide for how to find out if you are uploading your contacts to Facebook, and how to stop sharing that info if you want to.

Here’s how you can figure out if you’re uploading your contact info to Facebook Messenger.

This article originally appeared on

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.