Facebook Built a Profile on You Even If You Never Signed Up

What is a shadow profile?

A shadow profile is a collection of data that Facebook (now Meta) maintains about a person who has never created a Facebook account. The data is compiled from multiple sources: contact lists uploaded by Facebook users, browsing activity tracked by the Facebook Pixel across millions of websites, data purchased from third-party brokers, and information scraped from public records [1].

You do not need to sign up for Facebook for Facebook to know your name, phone number, email address, home address, employer, political affiliation, purchasing habits, and social connections. All it takes is for people who know you to use Facebook.

How contact uploads build profiles on non-users

When a Facebook user syncs their phone contacts, uploads their email address book, or allows the Facebook or Messenger app to access their contacts, every name, phone number, and email address in that contact list is transmitted to Facebook's servers [2].

Here is what happens next:

1. Your friend installs Facebook and grants contact access
2. Facebook receives your name, phone number, and email address from your friend's contacts
3. Another friend does the same thing. Facebook now has two independent sources confirming your name, phone number, and a second email address
4. A third friend uploads contacts from their work email. Facebook now has your work email and your employer (inferred from the email domain)
5. Over time, as dozens of people who know you upload their contacts, Facebook assembles a detailed profile: multiple phone numbers, multiple email addresses, your home address (from contacts that include addresses), your birthday, your relationship to each person who uploaded your info

This process is entirely invisible to you. You never consented to any of it because you were never asked.

Zuckerberg's Congressional testimony

During Mark Zuckerberg's testimony before Congress on April 11, 2018, Representative Ben Lujan asked directly about shadow profiles [3]:

> Lujan: "Facebook has detailed profiles on people who have never signed up for Facebook; yes or no?"

>

> Zuckerberg: "Congressman, in general we collect data on people who have not signed up for Facebook for security purposes..."

>

> Lujan: "It's been referred to as shadow profiles. Is that what it's been referred to within the company?"

>

> Zuckerberg: "Congressman, I'm not, I'm not familiar with that."

The claim that he was not familiar with the term "shadow profiles" was widely criticized. Internal Facebook documents later revealed in litigation showed that the company was well aware of the practice and had internal discussions about the privacy implications [4].

The Northeastern University research

In 2018, researchers at Northeastern University conducted an experiment that definitively proved Facebook could target advertising to non-users using data those non-users never provided [5].

The experiment worked like this:

1. Researchers created a Facebook advertising campaign targeting a custom audience based on phone numbers
2. They included phone numbers that belonged to landline telephones. These numbers could never have been used to create a Facebook account or log into the Facebook app
3. Facebook accepted the targeting and showed ads to Facebook users associated with those landline numbers

The only way Facebook could associate a landline number with a Facebook user is through contact uploads. Someone who knew the landline number owner had uploaded their contacts to Facebook, and Facebook used that data to build an advertising profile.

This means Facebook's advertising system can target individuals based on data those individuals never provided, never consented to share, and may not even know Facebook possesses.

What shadow profiles contain

Based on leaked documents, researcher analyses, and legal discovery in various lawsuits, shadow profiles can include [6]:

• Full name (as it appears in other people's contacts)
• Multiple phone numbers (cell, home, work)
• Multiple email addresses (personal, work)
• Home address (if stored in contacts)
• Employer and job title (inferred from email domains and contact metadata)
• Social graph (who knows you, how closely, inferred from upload frequency and mutual connections)
• Browsing history (from Facebook Pixel tracking across millions of websites)
• Purchase behavior (from data broker partnerships and Pixel tracking on e-commerce sites)
• Political affiliation (inferred from browsing patterns and social connections)
• Location history (from IP addresses associated with Pixel tracking and from friends' location-tagged posts that mention or tag you)

Facebook Pixel: tracking you across the web

Even if nobody ever uploaded your contact information, Facebook still tracks you through the Facebook Pixel, a snippet of JavaScript code installed on millions of websites. As of 2025, the Facebook Pixel is present on approximately 8.4 million websites, including news sites, e-commerce stores, healthcare providers, and government websites [7].

When you visit a website with the Facebook Pixel:

1. The Pixel fires and sends data to Facebook's servers
2. The data includes the page URL, your IP address, browser fingerprint, and any actions you took (items viewed, added to cart, purchased)
3. Facebook matches this activity to a profile using browser cookies, IP address correlation, and device fingerprinting
4. If you do not have a Facebook account, the data is stored against your device fingerprint and associated with a shadow profile

This tracking occurs regardless of whether you are logged into Facebook, have a Facebook account, or have ever visited facebook.com. The Pixel operates as a third-party tracker on other people's websites.

GDPR implications and the Belgian DPA fine

The European Union's General Data Protection Regulation (GDPR) requires a lawful basis for processing personal data. For non-users who never consented to anything, Facebook's shadow profiling has no clear legal basis [8].

In 2022, the Belgian Data Protection Authority (DPA) fined Meta 746 million euros (later reduced on appeal) for, among other violations, processing personal data of non-Facebook users without consent. The Belgian DPA specifically cited [9]:

• Tracking non-users via Facebook Pixel cookies without consent
• Processing contact data of non-users uploaded by Facebook users
• Failing to provide non-users with adequate information about how their data is processed
• Failing to offer non-users a meaningful way to access, correct, or delete their data

Meta appealed, and the fine was reduced, but the underlying legal finding that tracking non-users without consent violates GDPR remains in effect across the EU.

How to check what Meta has on you

Even if you do not have a Facebook account, you can attempt to find out what Meta knows about you:

For non-users (no Facebook account)

1. Submit a GDPR/CCPA data access request. Email privacy@meta.com or use the form at Meta's privacy help center. Identify yourself with your name, email addresses, and phone numbers. Under GDPR (if you are in the EU) or CCPA (if you are in California), Meta is legally obligated to respond within 30 to 45 days
2. Use Meta's Off-Facebook Activity tool (requires creating a minimal account). This shows which websites and apps have sent your activity data to Facebook via the Pixel
3. Check data broker sources. Request your files from Acxiom, Oracle Data Cloud, and LiveRamp, which are known Meta data partners

For existing Facebook users

1. Settings > Your Information > Download Your Information and request a full copy in JSON format
2. Settings > Your Information > Access Your Information > Ads Information > Advertisers who uploaded a contact list with your info. This shows which companies have your personal data and are using it for ad targeting
3. Settings > Your Information > Off-Facebook Activity. Review and clear the list of websites and apps that sent your data to Meta
4. Upload your phone contacts to Facebook, then immediately view them at facebook.com/invite_history.php. This shows what Facebook extracted from your contacts. Then delete them

For everyone

1. Install a browser extension like uBlock Origin or Privacy Badger that blocks Facebook Pixel tracking
2. Use Firefox or Brave which have built-in protections against cross-site tracking
3. Opt out of data broker sharing. Submit opt-out requests to Acxiom (isapps.acxiom.com/optout), Oracle Data Cloud (datacloudoptout.oracle.com), and LiveRamp (liveramp.com/opt_out)

The fundamental problem

Shadow profiling reveals a core truth about modern data collection: your privacy is a collective problem, not a personal choice. Even if you take every precaution, delete every account, and use every privacy tool, the people around you can still feed your data into systems you never agreed to use.

Facebook's shadow profiles are the most well-known example, but Google, Amazon, and data brokers operate similar systems. The data economy is built on the principle that if data about you exists anywhere, someone will collect, correlate, and monetize it. Consent is an afterthought at best and a legal fiction at worst.

Sources

1. Kashmir Hill, "Facebook Is Receiving Sensitive Medical Information from Hospital Websites," The Markup, June 2022
2. Facebook Help Center, "How does Facebook use my contact information?," archived 2023
3. C-SPAN, "Mark Zuckerberg Testimony Before Senate Judiciary and Commerce Committees," April 10, 2018
4. Gizmodo, "Facebook's Shadow Profiles Are Detailed, and They Know More Than You Think," 2018
5. Giridhari Venkatadri et al., "Investigating Sources of PII Used in Facebook's Targeted Advertising," Northeastern University, Proceedings on Privacy Enhancing Technologies, 2018
6. David Garcia, "Leaking Privacy and Shadow Profiles in Online Social Networks," Science Advances, 2017
7. BuiltWith, "Facebook Pixel Usage Statistics," 2025
8. European Data Protection Board, "Guidelines on Transparency under GDPR," 2019
9. Belgian Data Protection Authority, "Decision on the Merits 21/2022 of 2 February 2022 (Case DOS-2019-01377)," 2022