March 14, 2022, was an ordinary day. I snoozed my alarm at 7.15am and then again at 7.30am. I checked on a prescription at 10.25am, scanned my bank balance at 2.40pm and bought a birthday card for my father at 4.05pm.
I didn’t record these mundane actions, but Facebook did.
In fact, between December 2021 and December 2023, Meta — the company that owns Facebook, Instagram and WhatsApp — tracked me an average of 33 times a day from websites and apps that aren’t connected to my social media accounts. Even when I wasn’t looking at them, they were looking at me.
At least 70 per cent of the UK population, more than 47 million people, use a platform owned by Meta at least once a month. Most are being tracked unwittingly. It’s not just the data that we upload to its platforms, but a whole empire of data about other activities that is fed back, allowing Meta to customise and optimise its ad business, which brought them $131 billion (£105 billion) in global revenue last year.
For a couple of years now I’ve had a niggling desire to know what data they held about me. I was pushed into action last year when I opened Instagram one day and my feed was filled with adverts for engagement rings. I was taken aback. I’d been in a relationship for three years, but it’s not something I posted about on social media. How did Meta know? Meta has been collecting data on me since December 2007, when I created my Facebook account aged 11. There were 360 million users; now it is 3.1 billion. Neither my parents, both former software developers, nor I understood how much personal data we were giving away or what it meant. I later accepted the old adage: “If you’re not paying for the product, you are the product.” I accept complicity in this trade-off, but I wanted to explore its more troubling implications. Deep in my Facebook settings, I requested a download of all of my data from the past 15 years. I received almost 20,000 pages of information, including every party invitation, holiday snap and regrettable Facebook status update, plus almost 20,000 interactions over two years with websites and apps that aren’t connected to my Meta accounts. The data dump was not user-friendly in the style of Spotify Wrapped, where your listening habits are packaged into colourful, shareable graphics. Instead each website’s tracking is in a separate file, which took me and a fellow data journalist a full week and extensive coding to analyse. Meta collects our data using a “Meta pixel”, a few lines of code that track website users by placing files called “cookies” on their computers. Companies usually install this software to track their own adverts on Meta products and find out whether the adverts are working. But as a result, whenever anyone browses products or makes a purchase, the pixel then sends that information to Meta, along with the user’s IP address. As a result Meta knows a dizzying array of things about all of us, including some things it probably shouldn’t. My data covered just about every facet of my life. Health data is the most sensitive there is. Yet over two years, I was tracked by Meta ordering prescription medications on LloydsDirect 37 times and booking GP appointments on the health app eMed 20 times, as well as browsing NHS Trust websites four times and once signing up to the stem cell register. I may have accepted Meta’s terms and conditions, and agreed to its long privacy policy, but being tracked for my health inquiries still feels intrusive. Last year I visited the Royal Marsden NHS Foundation Trust’s website to find out more about bowel cancer, after a friend was diagnosed. I also looked at resources from Macmillan Cancer Trust, Cancer Research UK and Bowel Cancer UK to learn more about what my friend was facing. The whole time I was being tracked. When I asked the trusts why they tracked visits, the Royal Marsden said it only collects user data by consent and regularly reviews cookie policies. The trust in Gloucestershire had installed a Meta pixel for an advertising campaign, and they didn’t realise it was still sending Meta information until I contacted them. It took Matilda Davies and a colleague a full week to analyse the reams of data SUNDAY TIMES PHOTOGRAPHER RICHARD POHLE Using this kind of information for targeted advertising can have damaging consequences. In 2018, the journalist Gillian Brockell wrote an open letter to Facebook. After a stillbirth she was regularly shown adverts for nursing bras and maternity clothes, despite clicking “I don’t want to see this ad”. She implored Facebook to “advertise to me accordingly, or maybe, just maybe, not at all”. It’s not just your physical health that Meta knows about. When I went to the website of the mental health charity Mind to look for resources, then searched the UK Council for Psychotherapy’s database for a counsellor, those websites sent my tracking information to Meta. Meta knew when I visited the website of the bereavement support charity Cruse. It tracked all my activity one afternoon in November 2022, days after a mass shooting in the US at a gay bar, when I trawled through LGBT news websites before finally landing back on Mind’s website. I’m more than a little perturbed by the idea Meta is using these moments of online vulnerability to advertise products to me. As with health, we like to think that our finances are private. But over two years, Monzo told Meta I’d opened its banking app 192 times. NatWest told Meta the date I submitted my credit card application. I’d struggle to avoid this tracking if I tried. Almost every big British bank sends user data to Meta.When I combined my old pensions, PensionBee shared data about when I signed up, the Pensions Regulator and the government’s Money Helper website shared when I sought advice and the Insolvency Experts shared when I contacted them to track down an old employer. Meta knew it all. A government spokesman said: “The government runs digital advertising campaigns to increase awareness of vital public services. This is standard practice for government and businesses across the country.” I’m not a regular gambler, but William Hill told Meta when I put money on Eurovision last year and retrieved my winnings. Gambling websites have been widely criticised for sharing user activity with tech giants such as Meta, Google and Microsoft because it lets them target adverts and free bets directly to gambling addicts. This part is particularly useful for advertisers. My alarm app, Alarmy, sent my activity to Meta more than 6,800 times in two years — once for every time I woke up, hit snooze or reset it. Meta tracked me using taxi apps 42 times, train ticket apps 35 times and my Tesco Clubcard 32 times. I use my Clubcard religiously, and have signed up to more loyalty schemes since the cost of living crisis hit. Supermarket loyalty cards have been under scrutiny recently because shoppers are required to sign up and hand over their data to access reduced prices on hundreds of products. The Competition and Markets Authority began reviewing these schemes in January to investigate whether some shoppers were disadvantaged by them. Mark Johnson, advocacy manager at the privacy campaigning organisation Big Brother Watch, said: “It is shameful that supermarkets are taking advantage of a cost of living crisis by pushing shoppers into trading more of their data to access discounts that used to be available to all.” Meta’s response to all this? A spokesman told me the data that companies receive from its business tools such as Meta pixels requires legal compliance. And that they educated advertisers about how to set up their business tools to prevent accidental sharing. “Our policies require advertisers to have the necessary rights and permissions, including people’s consent where applicable, to use our business tools data,” they said. “We don’t want or permit advertisers to send sensitive information about people through our business tools.” So what can be done? For more robust online controls, experts recommend using browsing software with high security, such as the Mozilla Firefox browser and the search engine DuckDuckGo. If you’re wedded to Google Chrome, you can use a virtual private network (VPN) or extensions such as Ghostery for extra privacy. But the first line of defence is turning off cookies and disconnecting third-party tracking in your Facebook or Instagram settings. Ultimately, turning off the data tap is a difficult business and depends on the organisations and businesses whose websites and services I use. It was alarming to discover just how many of these organisations don’t know — or worse, don’t care — about the role they play in Meta’s vast data harvesting operation. In the chain of operators enabling the practice — from consumers, to web developers, to website owners, to Meta — there is too much obfuscation and not enough accountability. Perhaps naively I was under the impression that, in the aftermath of the 2018 Cambridge Analytica scandal, which exposed how the private information of more than 50 million Facebook users had been used to try to influence 2016 elections for Donald Trump and Brexit, this kind of pervasive data sharing wasn’t happening. Now I know better. After this investigation I considered deleting my accounts, but since the age of 11 they’ve underpinned my social life, my work, my memories, my relationships. So in the end, I didn’t — I couldn’t. That is just what companies like Meta rely on.
How to stop Meta from collecting your data from other sites