The problem with these practices is that the cookies are placed without consent, which under EU law is only allowed if there is a strict necessity to do so. Facebook maintains that the "datr" cookie plays a key role in Facebook's security and site integrity features. However, given that the "datr" cookie is used in the EU when someone tries to opt out of ad targeting, but isn't used in U.S. and Canada in similar circumstances, it's hard to believe that the cookie is strictly necessary for site security, Van Alsenoy said.
Meanwhile, Facebook slammed the findings. "This report contains factual inaccuracies," said a Facebook spokeswoman in an emailed statement, adding that the inaccuracies in the report were explained in detail to the Belgian Privacy Commission after the report's earlier draft was published.
Cookies are also set for non-Facebook users who have visited facebook.com, to help protect Facebook Services and the people who use it from malicious activity, the company said. They can help detect and prevent denial-of-service attacks and the mass creation of fake accounts, it added.
Facebook is confident that its updated policies comply with EU law, the spokeswoman said, adding that it routinely reviews product and policy updates with its EU regulator, the Irish Data Protection Commissioner (DPC).
Facebook will have to deal with other, national privacy authorities though. The Belgian, Dutch and a German privacy authority have all started investigations into Facebook's policy changes and the three countries in February formed a task force to examine how the policy might violate EU privacy laws.
The researcher's report will be taken into account by the three authorities, a spokeswoman for the Belgian Privacy Commission said, adding that it was too early to draw any conclusions. The Commission hopes that if it turns out that Facebook has violated the law, it can come to a friendly agreement, but if that turns out to be impossible, Facebook could also be sued as an extreme measure, the spokeswoman said.
Sign up for CIO Asia eNewsletters.