While I agree that the main fault was with the pharmacies, they should certainly not send any patient information to anyone, I think you can at least partly blame Facebook since they had promised to filter out anything sensitive.
That sounds impossible even for one language. A better description I might trust wouldn’t include “filter out”. Filter out!? Like activities that aren’t “filtered out” would somehow be blanket acceptable?
Wouldn’t it be easier to just use an FB api to send one ping when a transaction completes, e.g with a campaign ID? Why would fb ever be uploading what’s stored in a form field that they don’t know what it means? It makes no sense?
Many analytics and tracking pkgs will capture every single form field and upload them as a standard default, and only mask out things that match cc regexes etc
What the hell would someone even do with such data? I get that you can figure out addresses/phone numbers/emails nad correlate individuals etc. But what about all the other fields? If someone says "It's sold in bulk to companies who try to datamine whether the field values '48', 'yes' and 'Other' makes it more/less likely for you to buy car insurance in the future" I'd be...completely unsurprised
