Receive our daily newsletter

NYDFS Reports on Investigation into Facebook's Transmission of Sensitive Data

After investigation, the New York State Department of Financial Services ("NYDFS") found that Facebook routinely obtained sensitive data, including medical information, that was collected through consumers' use of third-party applications.

New York Governor Andrew Cuomo accepted the report, in which the NYDFS concluded that the receipt of sensitive data was in violation of Facebook's policy, that the data was shared as part of Facebook's free online data analytics services, and that Facebook did not take substantial steps towards enforcing its policy or halting the dissemination of the data.

In response to the investigation, Facebook instituted remedial measures, including (i) implementing a data screening system intended to prevent its receipt of such information, (ii) upgrading its app developer education to better instruct developers regarding their responsibility for preventing the transmission of sensitive data and (iii) providing users with additional control over the collection of personal data.

NYDFS recommended that Facebook further enhance its protection of consumer privacy by implementing:

  • a front-end strategy to prevent the transmission of sensitive data from app developers, rather than heavily relying on a back-end system that cannot reasonably prevent the transmission of all sensitive information; and

  • a system for apps subject to repeated blocks by Facebook that would (i) identify whether a violation actually occurred, (ii) warn those who have been determined to violate Facebook's policy and (iii) impose material sanctions against violators, such as their removal from Facebook's systems.

Additionally, NYDFS recommended the establishment of a "clear nationwide legal framework for accountability enforced by a robust federal regulator." NYDFS expressed support for Governor Cuomo's proposed New York Data Accountability and Transparency Act (or "NYDATA") (Part II of Public Protection and General Government Article VII Bill / NYS FY 2022 Executive Budget), which would (i) require any data-collection entity impacting New Yorkers to disclose its use of such data collection and to limit the data it collects to satisfy that purpose, (ii) clearly protect certain types of sensitive information, including health, biometric and location data, and (iii) create a Consumer Data Privacy Bill of Rights.

Premium Content

Available only to Cabinet Premium subscribers.



Data Protection
Regulated Entities: