Facebook might know your heart rate even if you're not on the social network.
At least 11 popular apps sent personal data to Facebook, including information about when a user was having her period or what real estate listings a person viewed, according to testing from The Wall Street Journal. Using Facebook software built into these apps, developers were able to record a user's activity and then hand over this information to the world's largest social network even if the user didn't log into the app via Facebook or isn't a member of the social network.
Heart-rate app Instant Heart Rate: HR Monitor reportedly sent a user's heart rate to Facebook. The tech giant also reportedly knew when a user got her period because she recorded it in Flo Health's Flo Period & Ovulation Tracker app. Realtor.com sent Facebook information about the real estate listings a user viewed, according to the Journal. Users often don't know that the app developer is sending this data to Facebook because there isn't a "prominent or specific disclosure."
The revelation on Friday is the latest among a series of privacy concerns that have rocked Facebook, which could face more government regulation. It also highlights the trove of data Facebook collects from other apps that have tens of millions of users.
The software built into the apps includes an analytics tool made by Facebook that allows developers to see data about users' activities and target those users with Facebook ads.
A common practice?
A Facebook spokeswoman said in a statement that sharing information across apps is "is how mobile advertising works and is industry standard practice."
"The issue is how apps use information for online advertising. At Facebook, we require app developers to be clear with their users about the information they are sharing with us, and we prohibit app developers from sending us sensitive data," she said in a statement. "We also take steps to detect and remove data that should not be shared with us."
Some of the data shared appeared to violate Facebook's business terms, which tell developers not to send "health, financial information or other categories of sensitive information." Facebook said it uses data from apps to improve the ad experiences for its users and advertisers.
Kate Romanovskaia, a spokeswoman for Flo Health, said the use of analytics tools is "common practice" for all app developers.
The company uses Facebook's analytics tool "to study user behavior, provide users with the best possible experience and develop a product," she said.
Still, Flo Health is conducting an audit about the data privacy issue and is looking at the use of all external analytics tools, not just the one created by Facebook. The company also released updates to its period and ovulation tracker app for Android and iPhone users so it won't send data about a user's activity to third-party analytics services.
The Journal, which tested more than 70 popular smartphone apps, discovered that personal data was being sent to Facebook by using software that allowed them to track this online activity.
Kristopher Micinski, a visiting professor of computer science at Haverford College, said in an e-mail that a lot of apps send their information to Facebook.
"Implicitly, apps often include ads, and those ad networks often connect you to Facebook even if the app doesn't talk to Facebook directly," he said. "These large ad networks are all interconnected and share data."
That's why someone who uses a wedding planning app, for example, will start seeing ads on Facebook for wedding venues, he said.
Some politicians, though, want more answers. On Friday, New York Gov. Andrew Cuomo directed two state agencies -- the New York Department of State and the Department of Financial Services -- to look into the report that Facebook was gathering personal data from apps. He also called for action from federal regulators.
"According to the report, a wide range of apps are sending highly personal data to the social media giant apparently without users' consent and even when users are not logged in through Facebook," Cuomo said in statement. "This practice, which in some cases clearly violates Facebook's own business terms, is an outrageous abuse of privacy."
CNET's Laura Hautala contributed to this report.
Originally published at 10:52 a.m.
Update, 12:33 p.m.: Includes statements from Flo Health, a Haverford College professor and the New York governor.