Several phone apps are sending sensitive user data, including health information, to Facebook without users' consent, according to a report by The Wall Street Journal. The data is said to include information such as heart rates and pregnancy status.
An analytics tool called "App Events" allows app developers to record user activity and report it back to Facebook, even if the user isn't on Facebook, according to the report.
One example detailed by the Journal shows how a woman would track her period and ovulation using an app from Flo Health. After she enters when she last had her period, Facebook software in the app would send along data such as whether the user may be ovulating. The Journal's testing found that the data was sent with an advertising ID that can be matched to a device or profile.
Although Facebook's terms instruct app developers not to send such sensitive information, Facebook appeared to be accepting such data without telling the developers to stop. Developers are able to use such data to target their own users while on Facebook.
One of Flo's users, a woman who began using the app last year, told The Wall Street Journal she may delete the app over concerns about data privacy. "I think it's incredibly dishonest of them that they're just lying to their users especially when it comes to something so sensitive," the woman, Alice Berg, said.
Flo Health said in a statement that using analytical systems is a "common practice" for all app developers and that it uses Facebook analytics for "internal analytics purposes only." It added that the analytics department at Facebook is separate from the social media platform.
"Facebook Analytics' insights are utilized for internal analytics purposes only: to study user behavior, provide users with the best possible experience and develop a product," Flo said in the statement.
But the company plans to audit its analytics tools to be "as proactive as possible" on privacy concerns.
The report comes as Facebook is dealing with heightened scrutiny over how it handles user data. Last week, British lawmakers issued a scathing report calling for tougher privacy rules for Facebook and other tech firms.
Criticisms over privacy intensified nearly a year ago following revelations that the now-defunct Cambridge Analytica data-mining firm accessed data on some 87 million Facebook users without their consent. The U.S. Federal Trade Commission has been investigating that flap as well and is reportedly in negotiations with Facebook over a multibillion dollar fine.
The data-sharing is related to a data analytics tool that Facebook offers developers. The tool lets developers see statistics about their users and target them with Facebook ads.
The Journal said it tested more than 70 popular apps, and found at least 11 sent potentially sensitive user information to Facebook based on data that the consumers entered or how they behaved.
Besides Flo Health, the Journal found that Instant Heart Rate: HR Monitor and real-estate app Realtor.com were also sending app data to Facebook. The Journal found that the apps did not provide users any way to stop the data-sharing.
Facebook did not immediately respond to a request for comment. It told the Journal that some of the data-sharing appears to violate its business terms. The company says it requires app developers to be clear with users about what they share.
Hours after the Journal story was published, New York Gov. Andrew Cuomo directed the state's Department of State and Department of Financial Services to "immediately investigate" what he calls a clear invasion of consumer privacy. The Democrat also urged federal regulators to step in to end the practice.
Securosis CEO Rich Mogull said that while it is not good for Facebook to have yet another data privacy flap in the headlines, "In this case it looks like the main violators were the companies that wrote those applications," he said. "Facebook in this case is more the enabler than the bad actor."