Facebook Draws Criticism from NY Regulators for Failing to Police Data Sharing Practices

Mar 1, 2021 | Blog

On February 18, 2021, the New York State Department of Financial Services (NYDFS) released an investigative report confirming that Facebook had previously failed to prevent third-party apps from sharing sensitive user data, a practice that violates Facebook’s own privacy policies.

The impetus for the investigation came after a 2019 Wall Street Journal article revealed that a variety of popular third-party applications were routinely sharing sensitive health information with Facebook, with little or no disclosure to consumers. The WSJ report found that the apps, which all used a Facebook analytics tool, transmitted highly personal health information (such as weight, blood pressure, heart rate, and menstrual cycle tracking) to the tech giant for the purpose of matching users’ data with their Facebook profiles and creating targeted ads.

After the WSJ article was published, New York Governor Andrew Cuomo ordered the Department of Financial Services to conduct a probe into Facebook’s handling and policing of third-party data sharing. While Facebook’s privacy standards prohibit app developers from sharing sensitive user information, the NYDFS found that Facebook did little to actually enforce this rule.

“Essentially, notwithstanding Facebook’s policy that app developers should not transmit sensitive data to Facebook, there were many examples where the developers violated that policy and Facebook did indeed — unwittingly, it contends — receive, store, and analyze sensitive data,” the report reads. “The information provided by Facebook has made it clear that Facebook’s internal controls on this issue have been very limited and were not effective at enforcing Facebook’s policy or preventing the receipt of sensitive data.”

Since the Department’s investigation, Facebook has taken several remedial measures. They’ve developed and implemented a back-end screening system meant to detect and block health-related information coming from third parties, as well as creating a tool that allows Facebook users to see and manage the data flow between Facebook and any third-party apps. The company has also upped its efforts to educate app developers on their responsibilities regarding the confidentiality of sensitive consumer information.

Facebook, however, declined to conduct a “look back,” as requested by the Department of Financial Services, to fully ascertain the volume of sensitive data it had received in violation of its own policies. The developer of the app that triggered the investigation, Flo Health, Inc., entered into a Consent Agreement with the Federal Trade Commission on January 13, 2021, with regard to its sharing of sensitive data with third parties that provided marketing and analytics services, such as Facebook.

Regulators are still calling for greater oversight and continued accountability from Facebook—and other media companies with access to highly personal information—regarding the unauthorized sharing of data. “Large internet companies have a duty to protect the privacy of their consumers—period,” said Governor Cuomo. “A lack of universal standards and online regulation has led to unsolicited and predatory data collection and sharing which has compromised the privacy of countless New Yorkers and we’re taking steps to hold these bad actors accountable and to create the strongest privacy protections in the nation.”

If you have any questions regarding data privacy or cybersecurity regulations, pleases contact Kenneth Rashbaum.