Why Facebook keeps collecting people’s data and building their profiles even when their accounts are deactivated

As a loyal reader, your feedback is vital to Digiday as we continue to evolve our products and coverage. Let us know your thoughts with this quick survey and ​​you’ll be entered to win one of five $25 Amazon gift cards.

Brains hooked up to machines by mad scientists. Tortured spirits stuck between this world and the next. Limp bodies force-fed to stay alive. Any of these creepy horror flick scenarios might be fitting to describe how Facebook treats deactivated accounts. Not only does the company keep these otherwise dormant digital beings on life-support indefinitely, it continues to latch new data shared by advertisers to deactivated accounts, fortifying identifiable profiles just in case their masters return to electrify them back to life. 

That practice is shady in the best of times, but it seems ridiculous to do that when someone has deactivated their account.
Justin Brookman, director of privacy and technology policy at Consumer Reports

Despite Facebook’s recent virtue-signaling on privacy, the company does not make it clear to people that when they deactivate their accounts, its vampiric data connections continue to suck new information from advertisers, revealing people’s personal interests, recent purchases and other interactions. And the company has no data retention policy limiting the length of time it keeps deactivated accounts and the photos and other data associated with them frozen in virtual cryogenic stasis.

Facebook refers to this intravenous data drip from advertiser partners as “Your Off-Facebook Activity.” It is comprised of data reflecting interactions people have with other companies that those firms pass along to Facebook, such as information showing that someone registered for a website, bought a product or signed up for a streaming subscription. 

“That practice is shady in the best of times, but it seems ridiculous to do that when someone has deactivated their account,” said Justin Brookman, director of privacy and technology policy at Consumer Reports.

Account deactivation is distinctly different from deletion. When people deactivate their accounts, their profile disappears from view of other people, but not Facebook. Ultimately, Facebook views deactivation as a sign that a user may return to reactivate the account at some point, which they can do simply by logging into the platform. While account deletion is permanent, deactivation is intended to allow people to return to their account, complete with pre-existing friend connections and other settings still intact as though they never left. 

When people deactivate their accounts, “from Facebook’s perspective, all you’re saying is, ‘I don’t want to use the social media product of Facebook,'” said Nii Ahene, chief strategy officer at Tinuiti, an agency focused on advertising on Facebook and other platforms. So, in his assessment of Facebook’s possible perspective on the subject, the logical extension of that is something like, “We’re still going to create this profile around you.”

While deactivated accounts are not visible to others, Facebook handles them just like an active account. That means the company’s data policy — which allows for new data to be added to accounts — applies to deactivated accounts in the same way it does active ones. And it means that if people have chosen to stop some off-Facebook data sharing, their privacy choices remain in place during deactivation, too. However, if they deactivated their accounts before January 2020 when controls over off-Facebook activity data were made available, Facebook could still be appending data shared by advertisers to their paused accounts.

But Bennett Cyphers, staff technologist at the digital privacy advocacy organization Electronic Frontier Foundation, said Facebook should consider automatically suspending collecting data tied to deactivated accounts. “It should be a clear signal that that person does not want them to collect and monetize data about them,” he said. 

Facebook declined to provide any comments on the record for this story.

How Facebook gets smarter from fresh deactivated account data 

According to Facebook’s data policy, advertisers and other third-party marketing or data services companies share information about people’s off-Facebook activity not only when people are not logged into the platform, but even when they do not have an account. “For example, a game developer could use our API to tell us what games you play, or a business could tell us about a purchase you made in its store,” states the policy. That information enters the Facebook data trove through a variety of routes, including via Facebook “like” buttons on website pages, through cookies or Facebook pixels installed on specific sites and product pages, via mobile app SDKs or through newer direct data conduits such as Facebook’s Conversion API

“This represents a misconception that a lot of folks think the act of deactivating an account prevents some sort of ongoing data collection. It continues to aggregate,” said Ty Martin, founder of Audience Kitchen, which helps advertisers uncover targetable audiences on Facebook and Instagram.

This represents a misconception that a lot of folks think the act of deactivating an account prevents some sort of ongoing data collection.
Ty Martin, founder of Audience Kitchen

For Facebook, the value of adding fresh data to deactivated accounts is obvious, said Ahene. “They are using your behavior to inform their social graph,” he said. Facebook’s algorithmic audience targeting process learns from the ways people who are similar to one another behave, so it gets smarter even when data is added to a hibernating deactivated account. If, for example, someone who deactivated her Facebook account showed interest in fitness content outside the platform or bought exercise equipment, Facebook could use that information to refine how people with similar interests and demographics are categorized for ad targeting.  

“Your actions put that user into a closer cohort to the audience you’re in,” said Ahene. “That’s how machine learning works; it’s collaborative filtering.”

So, Facebook’s social graph might improve by using data appended to a deactivated account that shows that someone purchased a certain type of product, said Martin. The information would be a signal to Facebook that people similar to a deactivated account holder might also buy the same thing. “If an advertiser is focused on conversions as a goal, then Facebook is looking for people in that broad audience who are similar to others who have converted,” he said. 

Risks for advertisers kept in the dark about deactivated accounts

While Facebook’s ad system can get better when additional data is hinged to deactivated accounts, advertisers are kept in the dark about them. Ad agency execs say they don’t know when advertisers pass data to Facebook that is then appended to deactivated accounts. And, when advertisers upload customer data to match to Facebook’s social graph to target custom audiences, they are not told the number or portion of matches that are associated with deactivated accounts. “We don’t even get it at an aggregated level,” said Martin.

Martin and Ahene said this lack of transparency around deactivated accounts could be a risk factor for advertisers when it comes to campaign planning based on Facebook’s audience size and reach estimates, particularly for brand advertisers concerned with reaching a certain number of people a specific number of times. “The way this becomes problematic for advertisers is that advertisers [make] their budgeting decisions based on that potential reach,” Martin said.

But he said Facebook benefits from not breaking out data about the portion of audience estimates of active versus deactivated users. “I can see why Facebook would want to treat it as one nice, big audience,” Martin said. “I might start saying I’m only going to look at the portion of reach that Facebook can verify and then maybe lower their budgets.”

Facebook said that, once an account is deactivated, it can’t be served ad impressions. So, because the estimated audience numbers it provides for campaign planning only include people it has shown ads to in the past 30 days, that estimate effectively removes some deactivated accounts.

Account Deletion: “a very Hotel California-like structure”

This story came to be through the personal experience of your trusty reporter. Years after deleting the Facebook app off an old phone and never using it again, I found myself downloading it in mid-September for story research. That meant I also had to log into the platform, which meant I’d have to remember the username and password I set up for a work-related dummy account I rarely access. I used an email address and password I thought would turn up that dummy account.

Then suddenly, there it was, like some poltergeist: my old Facebook account. That is, the real one I’d used on a personal basis for a decade or so but had finally killed off in early 2019. Or, so I thought. Somehow, Facebook had roused the thing like a monster disturbed from its two-and-a-half-year slumber. I am not exaggerating when I say the frisson was palpable when the spirit of my defunct profile showed up reinvigorated on my phone. 

Through its tendrils in other services, Facebook gave users lots of different ways to accidentally reactivate their accounts.
Bennett Cyphers, staff technologist, Electronic Frontier Foundation

I had no way of proving that back in 2019 I had intended to permanently delete this revived account. While most everyday Facebook users might never get a direct response from the company regarding this sort of issue, I was in a privileged position as a reporter in regular contact with communications staff at the company. Despite my recollection to the contrary, they told me that Facebook’s internal logging records showed I had never scheduled the account for deletion, but merely had set it to deactivate. Had I actually initiated deletion, that would have shown up in Facebook’s log files, they said. The company would not provide any detail on how that would be represented in their internal data. 

People take a multistep process to both deactivate and delete their accounts. When they schedule an account for deletion, Facebook requires 30 days in which people cannot log back into the account before Facebook begins deleting their data. It’s not easy for many typical web users to get past Facebook’s 30-day threshold without inadvertently logging back into their accounts because so many websites and apps allow people to sign in using their Facebook credentials, and because apps and browsers often automate those logins.

“At several points in Facebook’s recent history, the only thing that was easy for users to do was deactivate their accounts, but deletion has been more of a challenge,” Cyphers said. “Through its tendrils in other services, Facebook gave users lots of different ways to accidentally reactivate their accounts, and so it was this kind of maze and exercise in austerity,” he continued. “It was a very hotel California-like structure.” In other words, as the Eagles song lyrics go, “you can check out any time you like, but you can never leave.”

So, despite the fact that I’d attempted to log in to a different still-active dummy account, Facebook’s social graph gods had worked their magic. As far as Facebook was concerned, not only had I never deleted that old account, I had now signaled my intent to return to the news feed. But this had been no temporary respite. When I used Facebook’s Download Your Data process to grab the information associated with my revived account, a file listing “account status changes” showed that precisely two years, seven months, 13 days, five hours and 26 minutes had passed between the time Facebook had registered the account deactivation and the moment it gasped back to life. 

And yes, there were those files showing my off-Facebook activity. One file featured a long list of websites and apps I’d used my Facebook credentials to register with or sign into. A folder labeled “your_off-facebook_activity” showed individual files revealing data reflecting my purchases and transactions shared with Facebook by various companies while my account had been deactivated. There were subscriptions to The Athletic, Hulu and Netflix, as well as purchases on eBay, Edmunds.com and Wayfair. 

Edmunds was the only company in this list that responded to a request to comment for this story. The auto site referred me to its privacy policy which states that it shares data with Facebook about people’s activities on Edmunds.com, or data it gleans from its auto dealer partners such as vehicle purchase data. Edmunds did not respond to a direct question regarding whether the company is aware that some of the information it shares is appended to deactivated accounts. 

Facebook’s privacy assumptions

As Facebook attempts to deflect intense scrutiny from the steady stream of damning Facebook Papers reports, the company has dialed up its privacy charm offensive. Facebook is currently running a marketing campaign touting its commitment to protecting people’s data and giving them more control over their privacy choices. “You should be able to understand who has your data and how they use it,” says a Facebook privacy team employee named “Rochelle” in a video in which she mentions the company’s support for federal privacy legislation.

The company has been more forthcoming about its off-Facebook data connections since it launched its Off-Facebook Activity tool on Data Privacy Day last year. The tool reveals which companies have passed data along to Facebook in the past 180 days, and allows people to manage which companies can and can’t do it in the future. If people have disabled off-Facebook activity data collection, those settings will apply if they deactivate their accounts afterwards. However, account deactivation does not override settings, so if accounts were allowing off-Facebook activity data collection before going dark, they’ll continue to do so after deactivation.

I think it all comes back to a lack of transparency.
Laura Aldridge, VP, data privacy officer at digital agency Rapp

But Facebook does not make it clear in the tool or in its data policy that when people deactivate, it will continue appending new data shared by other companies to their deactivated accounts unless their pre-existing privacy settings prevent it. When asked about how its data policies address or allow for off-Facebook activity data gathering, Facebook points to a section detailing “What kinds of information” it collects. However, nowhere in that section is data collection associated with deactivated accounts mentioned specifically. Instead, Facebook seems to assume that people will realize the policy applies to accounts they’ve effectively shut down. 

“The onus, the burden of proof is on [Facebook] to show you that they disclosed how they were going to be using your data,” said Laura Aldridge, vp and data privacy officer at digital agency Rapp. “I think it all comes back to a lack of transparency.”

When people use Facebook’s Off-Facebook Activity tool or its Download Your Information service, the company only gives them basic information reflecting some of the interactions they have outside Facebook’s walls that are shared with the platform, but Facebook intercepts more. Advertisers might share additional details such as which items someone added to a shopping cart, for example. “We receive more details and activity than what appears in your off-Facebook activity,” the company states in a description of the data set in its help center. 

Meanwhile, there are no technical limitations to how long a Facebook account can stay deactivated, so some people could deactivate their accounts and never return to the platform. However, Facebook has no policy limiting the length of time it will store data associated with a deactivated account. That means photos, snippets of comments or messages between friends, data about where people have lived or worked, or lists of code for cookies, IP addresses, email addresses and device characteristic data used by Facebook to detect identity could be kept on Facebook’s servers in perpetuity or until an account is deleted. Ultimately, Facebook argued it would be a surprising and negative experience for people who return to Facebook only to find skeleton-like accounts. 

Europe’s General Data Protection Regulation and California’s updated privacy law have inspired companies holding lots of consumer data to define rules and strategies for data retention, said Aldridge. “More people are more mindful of getting rid of data,” she said. “That’s a natural evolution from where we were with big data.”


More in Media

Immediate deepens CMP strategy, slashes ad tech partnerships for sharper data governance

Consent management platforms at Immediate aren’t just about ticking boxes for data laws.

Teads’ M&A rumors are firming up with a deal to merge with Outbrain

The latest installment of ad tech M&A activity is leaving some industry folks surprised.