Meta Platforms and TikTok collect hashed personal information from web forms even when the user does not submit the form and has not given consent, according to a research.
(Sign up to our Technology newsletter, Today’s Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
Both Meta Pixel and TikTok Pixel have a feature called Automatic Advanced Matching (AAM) that collects hashed personal identifiers from the web forms in an automated manner, according to researchers from KU Leuven, Radboud University, and University of Lausanne.
Pixel is a code that lets platforms track visitor activity. This information can be used to target people with ads based on interests, preferences, and their behavior online. It can also measure the performance of ads.
The hashed personal identifiers are then used to target ads on the respective platforms, measure conversions, or create new custom audiences.
Meta’s, and TikTok’s documentation claim that AAM should trigger data collection when a user submits a form.
However, researchers found that both the platforms collect hashed personal data when the user clicks links or buttons that in no way resemble a submit button.
Meta and TikTok scripts don’t even try to recognise submit buttons. These platforms collect hashed personal information, even when a user decides to abandon a form, and clicks a button or link to navigate away from the page, according to the researchers.
The researchers have also investigated 1 lakh websites to detect leaks of users’ personal data triggered by unrelated button or link clicks.
They found that 8,438 US and 7,379 EU sites may leak user data to Meta when the user clicks any button or link, after filling up a form. They also found 154 US and 147 EU sites leaking personal data of users to TikTok.
Users’ email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and before giving consent, according to the researchers.