Blood pressure readings, menstrual cycles, and pregnancy status are among the types of sensitive personal data Facebook was caught collecting from third-party app developers without users' knowledge or permission. After a 2019 Wall Street Journal article exposed the practice, New York Governor Andrew Cuomo called on the New York State Department of Financial Services (DFS) to investigate the allegations, describing the practice as an outrageous abuse of privacy. DFS licenses a Facebook money transmitter subsidiary, Facebook Payments, Inc., but the investigation found it "had no involvement in the privacy issues examined." Given that Facebook, the parent, agreed to cooperate "fully" with the DFS investigation, the parties avoided any issues as to jurisdiction.
On February 18, 2021, DFS released a report summarizing its investigation. The findings included the fact that Facebook regularly obtained sensitive personal data from app developers, stored the data on its servers, and analyzed it for use in generating targeted ads—all of which violated Facebook's own policies.
Facebook's ad revenues—which totaled nearly $87 billion in 2020—account for 98.5% of its global revenue. One of Facebook's most powerful tools is a sophisticated data analytics system used to ensure advertising is targeted based on a user's data. Facebook offers website owners and app developers free access to its online data analytics services whereby the developers program their software to collect certain data about users. That data is then sent to Facebook's analytics service so it can be analyzed. Lastly, the Facebook analytics service provides the developer with an analysis of that usage data, which is often linked with other data that Facebook has on a user.
Facebook policies outline the types of information it collects from partners and places responsibility on these partners to ensure that they have the legal right to collect, use, and share user data before providing it to Facebook. It also prohibits app developers and third parties from sending Facebook sensitive data such as health and financial information. During the investigation, however, Facebook admitted that it uncovered many examples where developers violated the policies by regularly sending sensitive data to Facebook. Notably, Facebook maintains that it stored and analyzed the personal data unwittingly because its internal controls were not effective at enforcing the policy.
Facebook has since implemented remedial measures, including building a screening tool to reject sensitive health information and imposing enhanced app developer education. However, DFS noted that Facebook failed to "engage fully" with respect to other remediation proposals, and that Facebook's effort to enforce its own policies against collection of sensitive data was "seriously lacking." DFS further indicated it would like to see greater transparency in the form of detailed disclosures of the sensitive data that was collected and analyzed in the past—along with more strict enforcement of its data-sharing policies in the future—and called on federal regulators with nationwide jurisdiction to compel Facebook to provide full transparency.
Similar to DFS's investigation and report on the Twitter hack—and Twitter's lack of cybersecurity protections that allowed the accounts of cryptocurrency firms and well-known public figures to be hacked—DFS emphasized that this is another incident demonstrating the need for greater oversight of social media and technology companies. DFS concluded its investigative report with the following call to action: "Our regulatory institutions need to rapidly adapt to the challenges presented by social media giants, big tech, and the analytics industry, and it is imperative that we put in place a clear nationwide legal framework for accountability enforced by a robust federal regulator."
