In those cases, Beacon captures detailed data on what users do on these external partner sites and sends it back to Facebook along with users' IP addresses, although there is no Facebook ID to tie to the data.
The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said.
Facebook's response to Berteau's research has been a brief statement in which it confirms the findings, but says that in the case of logged-off users, deactivated accounts and nonmembers, Facebook deletes the data upon receiving it.
In Tuesday's blog posting, Zuckerberg made an apparent, passing reference to the CA findings.
"If you select that you don't want to share some Beacon actions or if you turn off Beacon, then Facebook won't store those actions even when partners send them to Facebook," he wrote.
That would seem to indicate that Beacon will continue to track users and send data back to Facebook, leaving it up to Facebook to decide which data it keeps and which it deletes.
Facebook didn't immediately reply to a request for comment about Zuckerberg's blog posting.