Facebook receives highly personal information from apps that track your health and help you find a new home, testing by The Wall Street Journal found. Facebook can receive this data from certain apps even if the user does not have a Facebook account, according to the Journal.
Facebook has already been in hot water concerning issues of consent and user data.
Most recently, a TechCrunch report revealed in January that Facebook paid users as young as teenagers to install an app that would allow the company to collect all phone and web activity. Following the report, Apple revoked some developer privileges from Facebook, saying Facebook violated its terms by distributing the app through a program meant only for employees to test apps prior to release.
The new report said Facebook is able to receive data from a variety of apps. Of more than 70 popular apps tested by the Journal, they found at least 11 apps that sent potentially sensitive information to Facebook.
The apps included the period-tracking app Flo Period & Ovulation Tracker, which reportedly shared with Facebook when users were having their periods or when they indicated they were trying to get pregnant. Real estate app Realtor reportedly sent Facebook the listing information viewed by users, and the top heart-rate app on Apple's iOS, Instant Heart Rate: HR Monitor, sent users' heart rates to the company, the Journal's testing found.
The apps reportedly send the data using Facebook's software-development kit, or SDK, which help developers integrate certain features into their apps. Facebook's SDK includes an analytics service that helps app developers understand its users' trends. The Journal said developers who sent sensitive information to Facebook used "custom app events" to send data like ovulation times and homes that users had marked as favorites on some apps.
A Facebook spokesperson told CNBC, "Sharing information across apps on your iPhone or Android device is how mobile advertising works and is industry standard practice. The issue is how apps use information for online advertising. We require app developers to be clear with their users about the information they are sharing with us, and we prohibit app developers from sending us sensitive data. We also take steps to detect and remove data that should not be shared with us."
A spokesperson for Flo, the period-tracking app, said in a statement it has already started an audit on data privacy that "will cover an exhaustive spectrum of all external analytical tools, not limited to Facebook Analytics." The spokesperson emphasized, "Facebook Analytics' insights are utilized for internal analytics purposes only," but said until the audit is finished, it has limited its use of external analytics programs and released iOS and Android updates that won't send custom app events to any external analytics systems, including Facebook Analytics. Over the weekend, the spokesperson said Flo deleted the Facebook SDK as a precaution "and have requested to delete all user data from Facebook Analytics."
The other two app developers did not immediately return CNBC's requests for comment.
Following the report, New York Gov. Andrew Cuomo directed the New York Department of State and Department of Financial Services to investigate Facebook for what he called an "invasion of consumer privacy" in a statement.
"New Yorkers deserve to know that their personal information is safe, and we must hold internet companies — no matter how big — responsible for upholding the law and protecting the information of smartphone users," Cuomo said in the statement.
Facebook had also considered collecting health information in the past, when it asked major U.S. hospitals to share anonymized data about their patients, as CNBC reported in April, though Facebook said the project had not moved past the planning stage at the time.
Read the full report at The Wall Street Journal.