On Thursday, the New York State Department of Financial Services (DFS) issued a report on the findings of its investigation into Facebook following a Wall Street Journal article, which prompted New York Governor Andrew M. Cuomo to direct the DFS to investigate the “transmission of sensitive user data by application and website designers to Facebook.”
The report reveals that the investigation discovered that app developers regularly send Facebook sensitive data, such as medical and personal data, which comes from individuals using third-party apps and websites, as part of Facebook’s free online data analytics services. The DFS noted that this aforementioned data sharing violates Facebook policy, however, “Facebook took few steps to enforce the policy or to block the flow of sensitive data prior to the state’s investigation.” Specifically, Facebook often had consumer data shared to it by app developers who downloaded Facebook’s Software Development Kit in connection with its free online data analytics services. This personal data included sensitive or medical data like health diagnoses, blood pressure numbers, and fertility data. For example, fertility app Flo Health was sued over this conduct by a consumer and has also settled with the FTC for sharing consumers’ sensitive health data with Facebook and other third-parties.
The report centers around the alleged conduct, as well as the purportedly insufficient controls at Facebook which allowed this to happen, measures that Facebook has taken to remedy this situation following the DFS’s investigation, and the DFS’s recommendations to protect consumers’ privacy. In particular, Facebook’s purportedly inadequate controls meant that Facebook was not keeping track of whether app developers were violating its policy. The DFS investigation reportedly caused Facebook to build and implement “a screening system that is designed to identify and block sensitive information before it enters the Facebook system,” while improving app developer education to inform developers that they are obligated to not transmit this type of data, and providing users with more control over their data collection. The DFS found that in addition to the efforts that Facebook has already undertaken, Facebook must “meaningfully ensure that developers are fully aware of its prohibition on transmitting sensitive data,” and to take additional steps to prevent app developers from initially sharing this data as opposed to solely using Facebook’s own screening system. Additionally, the DFS asserted that Facebook must take more steps to enforce its rules. The DFS also noted the need for more federal regulatory oversight, arguing that this regulation has not kept pace with technology.
Lastly, the DFS’s report supports adopting the Governor’s proposal to enact NYDATA, a data privacy law to protect New Yorkers’ data, such as by requiring various disclosures and limitations of large data collection, would enhance New Yorkers’ privacy protection. The report noted that the “investigation has shown that the NYDATA law is necessary.”
In a press release, Governor Cuomo stated, “Large internet companies have a duty to protect the privacy of their consumers – period. A lack of universal standards and online regulation has led to unsolicited and predatory data collection and sharing which has compromised the privacy of countless New Yorkers and we’re taking steps to hold these bad actors accountable and to create the strongest privacy protections in the nation.”
“Consumer protection is at the center of everything we do at DFS, and data privacy is increasingly important to consumers. Facebook instructed app developers and websites not to share medical, financial, and other sensitive personal consumer data but took no steps to police this rule,” Superintendent of Financial Services Linda A. Lacewell said in the press release. “By continuing to do business with app developers that broke the rule, Facebook put itself in a position to profit from sensitive data that it was never supposed to receive in the first place. Consumers deserve better.”