Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

NYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data

State Issues NYDFS Privacy/Cyber Risk & Data Security State Regulators Consumer Protection Bank Regulatory

State Issues

On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’ consent or knowledge. In 2019, the governor directed NYDFS to perform an investigation into the company’s collection of sensitive personal data from smartphone apps after a media report emerged that claimed app developers regularly sent sensitive data to the company. According to the NYDFS press release, the report’s findings conclude, among other things, that inadequate controls at the company allowed sensitive data to be wrongfully shared, and that the company “did little to track whether app developers were violating its policies” and to date has taken “no real action against developers” that transmit the data. The report outlines various remedial measures the company has undertaken as a result of the investigation, including (i) building and implementing a screening system to identify and block sensitive information prior to entering the company’s system; (ii) enhancing app developer education to better inform developers that they are obligated to avoid transmitting sensitive data; and (iii) taking measures to provide users more control over data that is collected about them, including from off-company activity. The report also includes recommendations for the company to implement to better protect consumer privacy and ensure app developers “are fully aware of the prohibition” on transmitting sensitive data. The steps include that the company should “do more [] to prevent developers from transmitting sensitive data in the first place rather than simply relying so heavily on a back-end screening system.” The report also urges the company to “undertake significant additional steps to police its own rules” by putting in place appropriate consequences for doing so.