In the wake of the scandal involving Facebook and the political consulting firm Cambridge Analytica, Facebook says it plans to limit what personal information outside companies, including quiz and game developers, can learn about consumers. But the company hasn’t done as much to scale back its own data collection.

If you have a Facebook account, you probably know that the company uses information about the stories you share and react to, along with the data in your profile, to show you ads.  

But you may not know that Facebook also tracks you across the web, on many other websites that aren’t visibly connected to the social network.  

“Facebook wants as much information as it can get,” says Casey Oppenheim, co-founder of data security firm Disconnect. “Most people don’t understand that Facebook is tracking you when you’re not on the platform."

Facebook's Privacy Problem

While Facebook has used such techniques for years, the company’s practices have come under intense scrutiny since late March, when it was reported that data on about 50 million Facebook users was inappropriately acquired and used by Cambridge Analytica.

Since then Facebook has raised that estimate to 87 million—while revealing that the profiles of nearly all 2 billion users may have been accessed by hackers taking advantage of the company’s liberal data-sharing policies. The Federal Trade Commission has opened an investigation into whether the company violated a 2011 consent order related to its privacy practices.

CEO Mark Zuckerberg was called before Congress, and in his testimony this week he said that he would support some forms of regulation and that “everyone should have control over how their information is used.”

Groups such as Consumer Reports are now calling for stronger consumer protections.

“Facebook is like a lot of other ad companies that try to collect a lot of data about what you do online,” says Justin Brookman, privacy and technology director for Consumers Union, the advocacy division of Consumer Reports. “What makes Facebook special is how wide its net is and how much it knows about you. Unfortunately, there are very few rules around how it tracks you.”

Facebook representatives declined to discuss in detail how such data is collected and used but referred us to the company’s privacy policy. And the company outlines many of its practices in documentation for advertisers.

Here’s how Facebook uses online tracking technology to gather information that can help the company generate advertising revenue, and what you can do to limit such data collection.

Say Hello to the Pixel

As you travel through the web, you’re likely to encounter Facebook Like or Share buttons, which the company calls Social Plugins, on all sorts of pages, from news outlets to shopping sites. Click on a Like button and you can see the number on the page’s counter increase by one; click on a Share button and a box opens up to let you post a link to your Facebook account.

But that’s just what’s happening on the surface.

“If those buttons are on the page, regardless of whether you touch them or not, Facebook is collecting data,” Oppenheim says.

Behind the scenes, every web page contains little bits of code that request the pictures, videos, and text that browsers need to display each item on the page. These requests typically go out to a wide swath of corporate servers—including Facebook—in addition to the website’s owner. And such requests can transmit data about the site you’re on, the browser you are using, and more. Useful data gets sent to Facebook whether you click on one of its buttons or not. If you click, Facebook finds out about that, too. And it learns a bit more about your interests.

In addition to the buttons, many websites also incorporate a Facebook Pixel, a tiny, transparent image file the size of just one of the millions of pixels on a typical computer screen. The web page makes a request for a Facebook Pixel, just as it would request a Like button. No user will ever notice the picture, but the request to get it is packaged with information.

“You can use Pixels to measure all kinds of activity on a site,” says Joey Muller, a partner at Sum Digital, a digital advertising agency based in San Francisco. “We use Facebook Pixels in every single case. It’s the first step when I talk to someone about redesigning a site.”

Facebook explains what data can be collected using a Pixel, such as products you’ve clicked on or added to a shopping cart, in its documentation for advertisers. Web developers can control what data is collected and when it is transmitted.

The technology helps Muller’s clients target ads to consumers while providing Facebook with data about what millions of people read, shop for, and watch online as they move around the web.

“If you’re logged into Facebook with the same browser you use to surf the web, the company knows exactly who you are and the vast majority of the websites you visit,” Oppenheim says.

Even if you’re not logged in, the company can still associate the data with your IP address and all the websites you’ve been to that contain Facebook code.

Consumer Reports incorporates social sharing buttons and the Facebook Pixel on its digital platforms. We share news and marketing messages with people on Facebook to enlist participation in consumer issues, to solicit donations, and to encourage people to sign up as a member of CR. You can find more details about our use of internet platforms in our privacy policy, including information on how to opt out of certain tracking technologies.

How the Data Is Used: Retargeting

Facebook, like other big companies, has various ways of using consumer data for advertising. But a technique called retargeting provides one good example and helps explain why companies include the Facebook Pixel and Social Plugins on their websites.

Muller, the digital advertising executive, explains how his clients benefit from retargeting by referring to a hypothetical website called www.Lil-Kicks.com, which sells children’s basketball shoes.  

Let’s say you go to this fictional site, place a pair of red Converse Chuck Taylor sneakers in a Lil-Kicks shopping cart, and leave the site without buying them. Lil-Kicks wants you to come back and complete the purchase. And, Muller says, if Lil-Kicks.com incorporates Facebook Pixels, the social media giant can help the company place highly targeted ads.

For a marketer, choosing who will receive its ads is as simple as clicking buttons in an online dashboard, Muller says. In this case, the marketer might choose to target a “bucket” (in Facebook adspeak) of all consumers who have left shoes in a Lil-Kicks shopping cart. 

Soon enough, you’ll start seeing Lil-Kicks ads reminding you to buy the shoes you shopped for.

“I’m always targeting people who add to the cart,” Muller says. “That’s the holy grail in marketing because it shows intent” to buy.

And if you start getting ads for red high tops from, say, Zappos, that’s no coincidence, either. “Zappos can target anyone interested in Lil-Kicks and vice versa,” Muller says.

Facebook Ads, Not on Facebook

The fact that you’ve been shopping for a particular product on a specific website is just one data point for Facebook. And the ads you see in your feed are just a portion of all the ads the company shows you.

In materials written for its advertisers, Facebook explains that it sorts consumers into a wide variety of buckets based on factors such as age, gender, language, and geographic location. Facebook also sorts its users based on their online activities—from buying dog food, to reading recipes, to tagging images of kitchen remodeling projects, to using particular mobile devices.

The company explains that it can even analyze its database to build “look-alike” audiences that are similar to, say, Lil-Kick’s best customers.  

Facebook can show ads to consumers on other websites and apps as well through the company’s Audience Network. Facebook tells advertisers, “In a Facebook ad campaign study, conversion rates were eight times higher among people who saw ads across Facebook, Instagram, and Audience Network than people who only saw the ads on Facebook.”

In an interview with the Wall Street Journal in 2016, Andrew Bosworth, a Facebook vice president, described how the Audience Network was extending the company’s reach. (Bosworth has been in the news for an internal memo he wrote—around the same time as the Wall Street Journal piece—that outlined a grow-at-all-costs approach to business.)

“Our buttons and plug-ins send over basic information about users’ browsing sessions,” Bosworth told the Journal. “For non-Facebook members, previously we didn’t use it. Now we’ll use it to better understand how to target those people.”

What Consumers Can Do

You can reduce, but not eliminate, online tracking by Facebook, Google, and other companies by using ad blockers or anti-tracking software. You can further enhance your privacy by limiting the amount of information you volunteer online about yourself and members of your family.

There are some other tricks, too: Using different email addresses for different services, and even different browsers, can help enhance your privacy, according to privacy experts we consulted.

The biggest tech companies don’t give you strong tools for opting out of data collection, though. For instance, privacy settings may let you control whether you see targeted ads, but that doesn’t affect whether a company collects and stores information about you.

However, some shifts are already underway. In the past, Facebook has supplemented its own data gathering with details from third-party data brokers including Acxiom, Epsilon, and Experian in a program called Partner Categories. That helped Facebook use information such as what you bought in walk-in stores using a credit card to help target you with online ads. But in late March Facebook announced that it would wind down its use of data brokers—sending Acxiom’s stock price down by double digits.

And in the wake of the #deletefacebook movement, calls for reform, and pressure from consumers, further change may be coming.

“American consumers want a better deal from these huge technology companies,” CR’s Brookman says. “And this could finally be the time when they get it.”