anon_id property

The anon_id is a unique ID for the device that Facebook generates and persists on the device. This can be verified by reading the source code of the Facebook SDKs.

For iOS, that is the Facebook SDK for iOS:

Here, a property with the key FBSDK_APPEVENTSUTILITY_ANONYMOUSID_KEY is set to the return value of the function call [FBSDKBasicUtility anonymousID] (source):

1[FBSDKTypeUtility dictionary:parameters setObject:[FBSDKBasicUtility anonymousID] forKey:FBSDK_APPEVENTSUTILITY_ANONYMOUSID_KEY];

The value of the FBSDK_APPEVENTSUTILITY_ANONYMOUSID_KEY constant is anon_id (source):


The [FBSDKBasicUtility anonymousID] function tries to retrieve a previously saved ID using the retrievePersistedAnonymousID function. If that fails, it generates a UUID using [NSUUID UUID].UUIDString (documentation), prepends the string XZ, and saves that using the persistAnonymousID function. (source)

 1+ (NSString *)anonymousID
 3  // Grab previously written anonymous ID and, if none have been generated, create and
 4  // persist a new one which will remain associated with this app.
 5  NSString *result = [self.class retrievePersistedAnonymousID];
 6  if (!result) {
 7    // Generate a new anonymous ID.  Create as a UUID, but then prepend the fairly
 8    // arbitrary 'XZ' to the front so it's easily distinguishable from IDFA's which
 9    // will only contain hex.
10    result = [NSString stringWithFormat:@"XZ%@", [NSUUID UUID].UUIDString];
12    [self persistAnonymousID:result];
13  }
14  return result;

In the Facebook SDK for Android, the anon_id is set to the value of the anonymousAppDeviceGUID parameter in the Utility.setAppEventAttributionParameters function (source):

1params.put("anon_id", anonymousAppDeviceGUID)

The return value of a call to the AppEventsLogger.getAnonymousAppDeviceGUID() function is passed as that parameter, e.g. (source):

2    deferredApplinkParams,
3    AttributionIdentifiers.getAttributionIdentifiers(context),
4    AppEventsLogger.getAnonymousAppDeviceGUID(context),
5    FacebookSdk.getLimitEventAndDataUsage(context),
6    context);

The AppEventsLogger.getAnonymousAppDeviceGUID() function just forwards to AppEventsLoggerImpl.getAnonymousAppDeviceGUID (source):

 2 * Each app/device pair gets an GUID that is sent back with App Events and persisted with this
 3 * app/device pair.
 4 *
 5 * @param context The application context.
 6 * @return The GUID for this app/device pair.
 7 */
 9fun getAnonymousAppDeviceGUID(context: Context): String {
10  return AppEventsLoggerImpl.getAnonymousAppDeviceGUID(context)

AppEventsLoggerImpl.getAnonymousAppDeviceGUID() finally implements the actual logic. Similarly to iOS, it first tries to read an existing ID from the SharedPreferences. If that fails, it generates a version 4 UUID using the UUID.randomUUID().toString() function from the java.util.UUID package (documentation), prepends the string XZ, and saves that to the SharedPreferences. (source)

 2fun getAnonymousAppDeviceGUID(context: Context): String {
 3  if (anonymousAppDeviceGUID == null) {
 4    synchronized(staticLock) {
 5      if (anonymousAppDeviceGUID == null) {
 6        val preferences =
 7            context.getSharedPreferences(APP_EVENT_PREFERENCES, Context.MODE_PRIVATE)
 8        anonymousAppDeviceGUID = preferences.getString("anonymousAppDeviceGUID", null)
 9        if (anonymousAppDeviceGUID == null) {
10          // Arbitrarily prepend XZ to distinguish from device supplied identifiers.
11          anonymousAppDeviceGUID = "XZ" + UUID.randomUUID().toString()
12          context
13              .getSharedPreferences(APP_EVENT_PREFERENCES, Context.MODE_PRIVATE)
14              .edit()
15              .putString("anonymousAppDeviceGUID", anonymousAppDeviceGUID)
16              .apply()
17        }
18      }
19    }
20  }
21  return checkNotNull(anonymousAppDeviceGUID)

The Facebook Graph API documentation (archived) describes the anon_id property as “The ID of a person who has installed the app anonymously”. As we have shown above, the “anonymous” here very much does not mean that the ID is not personal data under the GDPR. Presumably, Facebook means users that have not logged in with a Facebook account.