At least 11 popular apps are reportedly sharing people's sensitive data with Facebook, even if they don't have an account on the social network. The Wall Street Journal found that apps which can help track personal information such as body weight, menstrual cycles and pregnancy are sending such details to Facebook.
The apps that were found to share personal data include Flo Period & Ovulation Tracker, BetterMe: Weight Loss Workouts, Breethe, Realtor.com and Instant Heart Rate: HR Monitor. The report suggests none of these apps had an option for users to prevent them from sharing personal data with Facebook, nor do they necessarily make it clear to people their data is making its way to Facebook's servers. The publication was only able to specifically decipher the types of data that iOS apps send Facebook, but a third-party test determined at least one Android fitness app shares weight and height data too.
Thousands of apps use a Facebook analytics tool called App Events that lets developers track user activity. Developers can set up "custom app events," which can be used for ad targeting. That's how the apps identified in the report are sending data to Facebook. While the data is apparently anonymized in some cases, there are sometimes markers that could let Facebook match some of it to users.
The social network doesn't seem to be directly at fault here. It instructs developers not to share "health, financial information or other categories of sensitive information" with it. The company told the WSJ developers have to make it clear to users what data they're handing Facebook, and that some of the reported information-sharing practices seem to violate its terms.
Facebook said it will force the apps mentioned in the report to stop sharing sensitive data and take action against developers if they don't comply. It also claimed it doesn't use sensitive data captured in custom app events to personalize products like ads and the News Feed, and it automatically deletes some types of intimate data it receives, including social security numbers.
Meanwhile, Apple requires app developers to obtain consent from users before collecting their data and to take measures to stop unauthorized third parties from gaining access to that information. Google's policies state apps have to "disclose the type of parties to which any personal or sensitive user data is shared." The app-makers might also face repercussions under privacy rules like the European Union's General Data Protection Regulation.
Update 2/24 2:20PM ET: Flo Health has provided a response, stressing that it takes security "extremely seriously" and that it has "never sold any data point" or relied on sensitive info for ads. It has, however, deleted the Facebook developer kit from its app and asked to delete user data from Facebook Analytics. It's conducting an external privacy audit as well. You can read the full statement below.
"We take users' privacy and data security extremely seriously which is why Flo has never sold any data point to Facebook as well as we never used sensitive data from Facebook Analytics for advertisement. We utilized Facebook Analytics tool, as many other apps do, for us to ensure our app offers the best experience for our users. To clarify, any use of these tools was for internal development only to improve our functionality and service to our users. We also adhere to all legislation around data privacy and security. As a precaution, we have deleted the Facebook SDK from the app and have requested to delete all user data from Facebook Analytics. We will also be conducting a comprehensive data privacy external audit and would encourage any user with concerns to contact us via our dedicated email firstname.lastname@example.org."