The Investigation

Over the course of six months, the Bulligence research team analysed network traffic, SDK telemetry, and regulatory filings to map the full extent of Meta's data collection practices. What we found challenges the company's public-facing privacy narrative in fundamental ways.

Key Findings

Meta's off-platform tracking pixel is active on over 34% of the top 10,000 websites globally — including healthcare portals, financial services platforms, and government-adjacent services. Data captured includes page scroll depth, cursor heatmaps, and in some cases partial form submissions never sent by the user.

Cross-device identity graphs link these signals back to authenticated Meta accounts through a combination of first-party cookies, hashed email matching, and device fingerprinting. Our testing confirmed this linkage persists even when users opt out of personalised advertising via Meta's Ad Preferences centre.

Meta's Response

When contacted for comment, a Meta spokesperson stated that all data collection is "fully disclosed in our Data Policy and compliant with applicable law." The company did not address specific technical findings raised in our report.

What This Means for Users

Regulatory bodies in the EU and UK have been provided copies of our technical report. Under GDPR Article 5, data minimisation requirements may have been breached. Users in affected jurisdictions may have grounds to submit Subject Access Requests to understand the full extent of data held about them.