New York regulators said in a new report that Facebook did little to enforce a policy that prevents it from collecting sensitive user data from apps, and was regularly sent users' personal data from app developers.
The New York State Department of Financial Services acknowledged that the social media giant has taken positive steps to remediate the problem in response to its probe, but called for more internal controls.
MORE: Apple's latest privacy update faces heat from FacebookThe investigation came after a Wall Street Journal article in 2019 reported that personal health apps, including menstruation trackers and others that collect intimate personal details, were quietly passing that data onto Facebook.
The DFS said that wrongfully shared data included medical information such as diagnoses, blood pressure readings and even fertility data. The agency said this personal data was regularly shared with Facebook by app developers who downloaded Facebook's Software Development kit, a part of Facebook's free online data analytics services.
"Large internet companies have a duty to protect the privacy of their consumers -- period," Gov. Andrew Cuomo said in a statement Thursday. "A lack of universal standards and online regulation has led to unsolicited and predatory data collection and sharing which has compromised the privacy of countless New Yorkers and we're taking steps to hold these bad actors accountable and to create the strongest privacy protections in the nation."
MORE: Facebook passes final decision to ban Trump to oversight boardCuomo initially called for the DFS investigation after the Wall Street Journal report.
"Facebook instructed app developers and websites not to share medical, financial, and other sensitive personal consumer data but took no steps to police this rule," Superintendent of Financial Services Linda A. Lacewell said in a statement Thursday. "By continuing to do business with app developers that broke the rule, Facebook put itself in a position to profit from sensitive data that it was never supposed to receive in the first place. Consumers deserve better."
The DFS said that as a result of its investigation, Facebook created and implemented a screening system to identify and block sensitive information before it enters the Facebook system. The company also said it's taken steps to make clearer to developers their obligations in preventing sensitive data from being transmitted.
The agency lauded these "important first steps," but said Facebook must do more to ensure that developers are fully aware of its prohibition on transmitting sensitive data. The DFS also called for Facebook to do more to prevent developers from transmitting sensitive data in the first place, rather than simply relying on a back-end screening system.
Finally, the DFS report urged Facebook to take additional steps to enforce its own rules.
A Facebook company spokesperson told ABC News that sharing sensitive data through third-party tools "is an industry-wide problem" and the company "welcomed engaging with New York on efforts to address this challenge."
"Our policies prohibit sharing sensitive health information and it’s not something we want," the spokesperson added. "We have improved our efforts to detect and block potentially sensitive data and are doing more to educate advertisers on how to set-up and use our business tools."