A Facebook user logs into their account and is bombarded with dozens of gambling ads. The promotions for online casinos and betting sites offer free spins, “bet boosts”, discounts and bonuses.

But the person has never placed a bet or played a game on a gambling site before – let alone consented to being targeted. How can that happen?

The Observer conducted an experiment to find out how potential gambling customers are being tracked, profiled and targeted online.

To do this, we visited 150 gambling websites run by companies with licences to operate in the UK. First, we took a note of whether the website asked for consent to use data for marketing purposes. Then, without clicking to “agree” or “decline” the use of any data, we looked at the network traffic.

By doing this – and using an official Meta application called Pixel Helper – we were able to see a record of the data being shared with Facebook’s parent company, Meta.

In many cases, no data was shared. But in about a third of cases, the testing found that a tracking tool called Meta Pixel had been embedded into the website – and was being triggered automatically upon loading the webpage. This was sending a report to Facebook about which webpages we had visited, linked to a unique user ID.

In some cases, Facebook was also sent data on which buttons we had clicked, and other browsing activity. One site told Facebook when we clicked a button indicating we might place a bet on the Everton v Liverpool match scheduled for next week. Another told Meta that we had clicked to view a promotion for 100 free spins.

At no point did we ever click to “agree” or “accept” the use of our data for marketing – or consent to it being shared. But when we logged back into Facebook a few days later, the feed was full of gambling ads.

These ads were from a range of brands – including many whose own data-sharing practices had not broken any rules. This is because once data is shared with Meta, it is ingested into its targeted ads system and is used to profile people based on the things Meta thinks they like.

That means Meta can then sell ads to companies wanting to target a particular audience – whether that is pet owners, women seeking fertility treatment, people who love Taylor Swift, or potential gambling customers.

Advertisers can also target potential new customers that Meta thinks will be interested in their brand, including “lookalike” customers who have been profiled by the social media giant as being similar to their existing customers based on things such as their demographic characteristics, interests and behaviour.

In the Observer’s testing, the Facebook user had also been profiled as someone interested in “real money gaming”, according to account records – so it’s possible that ads could have appeared as a result of targeting in this way.

The investigation raises serious questions for regulators about how they are monitoring marketing practices of this sort.

During the testing, we noticed that many of the gambling sites sharing data unlawfully had automatic opt-in consent processes that assume people are happy for their data to be shared based on the mere fact that they are using the website. One consent banner read: “We use cookies to provide you with a better browsing experience. If you continue to use this website we assume you are OK with this.”

This appears to be in breach of data protection regulations. The ICO says consent must be both “unambiguous and affirmative”, and that relying on pre-ticked boxes or a failure to opt out is insufficient. Yet the practice is widespread.

There are also questions about the role of Meta – which profits from selling ads using data transmitted to it, even in cases where it was shared unlawfully.

We have previously written about how other organisations – such as police forces, NHS trusts and a political party – misused Meta Pixel to track website users. In some cases they shared data with Meta on sensitive things such as health problems and reporting crimes. But the barrage of gambling ads that were served on Facebook as a result of this testing was far more intense than anything we had seen before.

Heather Wardle, professor of gambling research at the University of Glasgow, said the “untamed marketing” was “hugely risky”. “If you are already experiencing difficulties from gambling, it is likely to make you gamble more,” she says.

Meta did not comment on the findings, but says its terms stipulate that companies should obtain consent before sending it data. “We educate advertisers on properly setting up business tools,” a spokesperson said.