> and facebook wasn't involved aside from providing such an SDK/backend service.

I don't think that's the case. If Facebook used the data for advertising, they should have checked that it was legal to do so.

I would agree with you if they only provided the backend service. But once they started using the data themselves, they should have checked.