The following report was published last week at the chaos computer congress in Leipzig, Germany and makes its way in the general press.
The video from the congress is also worth looking at, also for the questions asked at the end:
The short summary is that Facebook gets private data from a vast number of apps installed on Android phones, even if you do not have a Facebook account and do not have the Facebook app. They do that the moment you open the app, even before you acutally use it.
App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. The apps that automatically transmit data to Facebook share this data together with a unique identifier, the Google advertising ID, so that, when combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines.