At the end of February, the Department of Financial Services released a long- awaited report on the “transmission of sensitive user data by application and website designers to Facebook.” The report concludes a nearly two-year investigation by the Department into the use of sensitive personal data by app developers set in motion by a Wall Street Journal article in February 2019. The timing of the report—in the midst of negotiations on the State Budget—is surely meant to strengthen the case for the Governor’s New York Data Accountability and Transparency Act which he included in his Executive Budget proposal in January.

The Report focuses on conduct and the immensely complex interaction between Facebook and third party app developers around sensitive data that Facebook receives from these apps (often against Facebook’s own internal Data Policy.) The report found that third party applications had transmitted sensitive data to Facebook including heart rates, blood pressure ratings, menstrual cycles, and pregnancy statuses. The report cites one specific case where Flo Health—a menstruation and fertility tracking application used by more than 100 million consumers globally—sent Facebook data every time a user logged a period or that she intended to get pregnant in the app.

The report found that these data transfers occurred despite internal protocols at Facebook that should have prevented sharing of such sensitive data. The primary issue: the fact that within Facebook’s platforms for developers—Facebook Software Developer Kit (“SDK”) and Facebook Business Tools—the legal responsibility is on its partners to ensure that they have the legal right to collect, use, and share data before providing it to Facebook. That policy often resulted in Facebook receiving data contrary to its own internal data policies.

In response to the report and the WSJ article, Facebook has taken several remediation steps including: a Health Terms Integrity System which identifies and blocks sensitive user information from being sent to Facebook (the “Block List” now includes over 70,000 terms ranging from sexual and reproductive health to mental health and psychological states), enhanced app developer education to make Facebook’s data policies clearer and more tangible, and an Off Facebook Activity Tool which gives users more visibility into the information that Facebook receives from developers using Facebooks Business Tools.

In addition to those steps, DFS recommended remediation efforts be taken to strengthen app developer controls and enforcement of internal data policies. Most importantly, the report supports enhanced regulatory oversight. The report mentions several steps the Federal Trade Commission (“FTC”) has taken including a consent agreement with the aforementioned Flo Health and orders sent to nine social media and video streaming companies mandating they provide data on how they collect personal consumer information.

However, the report reiterates the Governor’s position that the steps taken so far by the FTC are woefully inadequate and closes by supporting and highlight three key elements of the NYDATA Act:

1. Mandate that an entity that collects data disclose the purposes of such collection and limit data collection to that purpose;
2. Expressly protect categories of sensitive information such as health, biometric, and location data, as well as creates enforcement mechanisms to hold entities accountable for breaches in those protected categories.
3. Implement the Consumer Data Privacy Bill of Rights which ensures that New Yorkers have the legal right to access, control, and delete any data collected from them (Of note—the Governor’s proposal does not go so far as giving consumers private right of action, which is a sticking point with the Legislature.)

What’s Next?

Legislative Leadership and the Executive Chamber agree on the need for comprehensive data privacy regulations at the State level, but they disagree on many of the specifics. One key sticking point is the Legislature’s preference of Private Right of Action as necessary for consumers to truly be able to enforce these protections themselves. The Governor has omitted Private Right of Action in his current proposal.

While Legislative One House Proposals won’t be out until later this month, we do know that both Houses intend to include proposed overarching data privacy regulations of their own (perhaps more in line with the NY Privacy Act—which has been carried by Assembly Member Linda Rosenthal and Senate Consumer Protection Chair Kevin Thomas the past several legislative sessions and continuously updated over the past few years).

The question facing the Governor and the Legislature is whether or not there is enough time to come to the middle on an overarching framework before April 1^st.