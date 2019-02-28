By Sam Schechner

A New York regulator is ramping up a promised investigation of how Facebook Inc. gathered sensitive personal information from popular smartphone applications, after a report by The Wall Street Journal revealed that some apps were sending the social-media giant data, including users' body weight and menstrual cycles.

The state's Department of Financial Services on Wednesday sent a series of letters seeking information and documents from Facebook and the developers behind the at least 11 apps mentioned in the Journal's reporting, according to a person familiar with the investigation.

One letter, addressed to Facebook Chief Executive Mark Zuckerberg, requests information about all companies that have sent Facebook data about mobile application users via software provided by the social-media giant in the last three years, the person said. It also asked the company to provide the categories of data that were shared and a list of all New Yorkers whose data was included, the person added.

Other letters, sent to app developers, seek copies of contracts with Facebook, and descriptions of fees and commissions either paid to or received from Facebook in connection with the use of its software, the person said. All of the letters request that recipients produce the documents by March 15.

The evidence-gathering is the first concrete step in an investigation that New York Gov. Andrew Cuomo ordered last Friday, just hours after the Journal report, which found that the 11 apps were sending intensely personal information to Facebook as soon as it was entered by users or recorded by the app -- regardless of whether the user logged in via Facebook or was a member of the social network.

Mr. Cuomo described the data sharing as "an outrageous abuse of privacy" and called on federal regulators to join and "help us put an end to this practice."

Facebook didn't immediately respond to a request for comment. The company has previously said it instructs developers not to send sensitive information and that it will take action against apps that don't comply.

New York's investigation adds to mounting scrutiny from regulators of Facebook's privacy practices. Last year, the U.K.'s privacy regulator fined Facebook GBP500,000 ($665,000) for allowing political data firm Cambridge Analytica to access data on tens of millions of Facebook users. The U.S. Federal Trade Commission is currently also investigating the company.

On Thursday, Ireland's privacy regulator said that it has 10 open investigations into whether Facebook or its subsidiaries have violated the European Union's new privacy law, called GDPR. Some of the investigations focus on whether the company is legally gathering and processing individuals' data, according to the annual report for the Irish privacy regulator. Ireland is Facebook's lead privacy regulator in the EU because the company has its regional headquarters in Dublin.

Facebook said earlier Thursday that it is cooperating with the Irish regulator, and that it spent over 18 months adapting tools and policies to comply with GDPR.

A spokesman for the Ireland's Data Protection Commission didn't have any immediate comment Thursday when asked if the regulator is looking into the data-sharing conduct by apps. But the regulator's annual report expressed concerns over how companies in the online-advertising business could build profiles of people using potentially sensitive information.

The Journal found 11 popular apps -- including six of the top 15 health-and-fitness apps in Apple Inc.'s U.S. App Store -- were using a software-development kit, or SDK, provided by Facebook to send the social network data including users' heart rate or blood pressure.

The apps used a part of Facebook's SDK called "App Events," which allows app developers to define actions performed by users, dubbed "custom events," that the SDK will record and send to Facebook for measurement. Facebook then allows developers to see the data collected from their own users in an aggregated form -- and to target those users with ads on Facebook based on that information.

Facebook has said that it doesn't otherwise use custom app-event data, although the company's business terms of service give it latitude to do so. Facebook also said that it prohibits apps from using the app event system to send sensitive health or financial information, and that it has instructed the apps in the Journal report to stop doing so.

Following the Journal report, at least five of the apps mentioned have either removed Facebook's SDK from their app or stopped sending the social network the sensitive information.

New York's investigation into the matter is being led by the state's Dept. of Financial Services. In its letters to Facebook and the nine developers, the department says it has jurisdiction to investigate because Facebook has a payments subsidiary licensed in New York -- and also has jurisdiction over all financial products and services that affect New York consumers.

New York's Dept. of Financial Services is empowered to issue fines and negotiate settlements. The letters sent Wednesday don't threaten any specific penalties, but say that the department it is evaluating the significance of invasion-of-privacy concerns in connection to the license it grants for Facebook Payments, according to the person familiar with the investigation.

The letters also request that Facebook and the app developers detail all remedial actions they've taken or plan to take following the Journal report, providing relevant documents, the person said.

