A recent Wall Street Journal investigative report describes how certain Facebook apps (third party applications running on the Facebook platform) send personal information to advertisers and third party tracking companies in violation of the Facebook Privacy Policy and the Facebook agreements binding the app companies. According to the article, certain apps send Facebook "user IDs" (a unique number assigned to a Facebook user) to advertisers and other third parties. These third party recipients can lookup the user ID on Facebook and gather information about the user -- at a minimum, his or her name, but also any other information that the individual makes publicly available. This issue is similar to another that arose earlier this year in which several social networking websites shared personal information with advertisers when the sites included such user IDs in the "referrer" HTTP headers sent to advertisers.

The fallout thus far has been swift. The co-chairmen of the U.S. House of Representatives Bipartisan Privacy Caucus (U.S. Reps. Markey and Barton) have sent an inquiry to Facebook about the issue. The Canadian Privacy Commissioner is considering yet another investigation of Facebook. And two class action lawsuits have been filed, the first targeting one of the major app companies named in the article (Zynga Game Network) and the other naming Facebook as a defendant. Both claim breach of the federal Stored Communications Act, among other causes of action.

To avoid these situations, companies should include appropriate contractual protections such as requiring web publishers, advertising networks and other web business partners to provide warranties and indemnities related to the unauthorized transmission of such personal information. Companies should also consider conducting periodic technical reviews of the data flows among their business partners to ensure that no unexpected data is being transmitted.