Facebook probably can’t wait for 2018 to end, a year that brought a garden variety of user privacy infringing issues for the world’s largest social network, as well as more questions about the measures Facebook is willing to take to curb the spread of fake news and limit foreign influence on the network.

But Facebook’s problems won’t go away just because the year is drawing to an end. In fact, we’ve got one more report revealing a severe case of Facebook-related user privacy violation.

A report from Financial Times (via 9to5Google) says that a study of 34 of the most popular Android apps found that at least 20 of them send sensitive user data to Facebook without obtaining the user’s consent beforehand. Such data may include information that users wouldn’t want to divulge, such as whether they have any children, and this may be illegal in Europe under the new GDPR privacy act.

The list of apps found to share data with Facebook without consent includes Kayak, MyFitnessPal, Skyscanner and TripAdvisor, the report explains. User data is sent to Facebook as soon as the app is opened:

The information sent instantly included the name of the application, the unique identification of the user with Google and the number of times the application was opened and closed since it was downloaded. Some, such as Kayak, the travel site, then sent detailed information about people’s flight searches to Facebook, including travel dates, if the user had children and what flights and destinations they had searched for.

The data collection practice has serious implications, as it allows Facebook to learn more details about users:

For example, a person who has installed the following applications that we have tried, Qibla Connect (a Muslim prayer application), Period Tracker Clue (a period tracker), Indeed (a job search application), My Talking Tom (an application for children), could be outlined as probable woman, probably Muslim, probable job applicant, probable mother.

One other concern is related to potential cyber attacks, as hackers might find ways to steal the data. The report notes that while Facebook says that the developers are responsible for complying with regulations, the Facebook SDK doesn’t allow developers to include prompts that would ask for user consent.

When app developers complained about the problem to Facebook, the company said that an SDK update would fix the issue, but many popular apps are not using it. Some of the developers who made the changes say the problem continues to linger even with the new Facebook SDK in place.