An illustration with Facebook like icons

Facebook reportedly gave its business partners far more access to your personal information than previously disclosed, the latest reminder that consumers should be extra cautious about what they share on social media.  

According to The New York Times, Facebook gave a wide-ranging collection of partners—including Microsoft, Apple, Spotify, and the Royal Bank of Canada—special access to consumer data, often without the consent of the social media site’s users.

"The company was routinely sharing more of your data than was necessary, and appeared to exercise very little oversight," says Justin Brookman, director of consumer privacy and technology policy for Consumer Reports.

This latest report follows a major data breach at Facebook in October and a smaller one affecting users' photos earlier this month. The Washington, D.C., attorney general has announced plans to sue the company over the Cambridge Analytica scandal that surfaced in March. 

In addition to being careful about sharing online, consumers can take several steps to protect their privacy better, which are outlined below. 

More Than Posts and Likes

According to The New York Times, some of the data was shared without the consent of users, though in other cases they did opt in, even if the exact nature and extent of the sharing wasn’t obvious.

For example, Microsoft's search engine Bing could see the names of almost all of a user's friends without consent, and some companies could handle users' private messages.

"It's not just posts and likes, it's also private messages," says Pam Dixon, executive director of the World Privacy Forum. "If people weren't outraged before, they should be now."

Facebook posted a statement Thursday explaining the intent of the data sharing with partners.

"We worked closely with four partners to integrate messaging capabilities into their products so people could message their Facebook friends—but only if they chose to use Facebook Login," wrote Ime Archibong, VP of product partnerships. "No third party was reading your private messages, or writing messages to your friends without your permission." 

Netflix, Microsoft, the Royal Bank of Canada, and Spotify, which were cited in the Times reporting, all denied misusing consumer data in separate emails to Consumer Reports.

Netflix noted that it had launched a feature in 2014 to let users recommend TV shows and movies to their Facebook friends via Messenger, but then shut down the feature in 2015.

"At no time did we access people’s private messages on Facebook, or ask for the ability to do so," wrote a Netflix spokesperson. 

The other companies said they had similarly ended their own uses of Facebook's messenger service and had been respectful of consumer communications.

"We have no evidence that Spotify ever accessed users’ private Facebook messages,” Spotify said.

"We did not have the ability to see users’ messages," wrote Royal Bank of Canada spokesperson AJ Goodman. 

"Throughout our engagement with Facebook, we respected all user preferences," Microsoft said. 

Advocates say that Facebook was irresponsible to leave the door unlocked for years after these programs officially ended.

"Some of the companies had continuing access to user data and seemingly didn't even know it," Brookman says. "Facebook was utterly indifferent to safeguarding consumer privacy. The core question is 'How can users trust Facebook going forward?'" 

More on Facebook

Though the features using consumer data under the instant personalization program were discontinued in 2014, Bing retained access to much of the data through 2017. The movie-rating site Rotten Tomatoes and the music-streaming site Pandora weren't cut off until late summer, according to the Times. 

Facebook acknowledged the problem on its newsroom page on Wednesday in response to the Times article.

"We shouldn’t have left the [application program interfaces] in place after we shut down instant personalization," wrote Konstantinos Papamiltiadis, the company’s director of developer platforms and programs. The APIs allowed outside companies to access the data.

The company has been operating under a consent decree from the Federal Trade Commission since 2012 that requires it to beef up its privacy policies, place limits on the retention of consumer data, and require express consent from users before enacting changes that override their privacy preferences. Some privacy advocates argue that activities outlined in the Times story violated that agreement with the federal government. 

"Facebook appears to be in violation of the consent decree," says CR's Brookman. "This adds fuel to the fire and could increase the penalties by tens of millions of dollars, as well as putting pressure on state attorneys general to do something."

Facebook refuted such claims. “To be clear: None of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC,” said Papamiltiadis in a statement on the company's newsroom page.

For consumers worried about privacy, here are some steps you can take to protect yourself. 

Be Stingy With Personal Data

The major lesson is to think twice before sharing online.

"Be stingy when it comes to sharing you personal data," warns Brookman.

Here are some tips for managing Facebook's privacy settings and limiting data collection by the company and its partners. 

And if you’re really aggravated by all of this, you can always delete your Facebook account—and all the related data, including your photos, will be deleted from your account. (It can take a few weeks for your data to officially be deleted.)

How to Delete Your Facebook Account

Beware: Once you cross this line, there’s no going back. Your photos, status updates, and messages will disappear, and your name will vanish from Facebook search. Forever.

Before you hit “delete,” you may want to save much of that data by downloading your personal information. It includes posts, photos, and videos you’ve shared with others; messages and chat conversations; and the details provided in the About section of your profile. (Click here for a full list of archive data.)

Facebook will generate a copy of your personal archive and send it to you via an email with a link to a zip file. Just be sure to save that file before you delete your account.

If you use Facebook Login to access third-party apps and sites, you may also want to create new log-ins and passwords for those services so that you don’t lose access to the accounts. (Not sure which apps and websites are linked to your Facebook account? Check out the Apps section in Settings for a complete list.)

Going forward, you can keep your log-in credentials and passwords handy across multiple devices with a password manager.

Once you’re finally ready to make your grand exit from Facebook, it’s relatively simple: Go to this page and click “Delete my account.”

Once you do this, your data will not be accessible to others on Facebook. It may, however, take up to 90 days from the start of the deletion process for all your information to be deleted from Facebook’s backup systems, according to the company.

And there's no way to be sure you've scrubbed yourself completely from every Facebook platform. Messages you’ve sent to friends will still be visible in their inboxes, for example, and any posts you’ve made in groups will remain unless you delete them before opting to end your ties to Facebook.

Editor's Note: This article was updated with responses from Netflix, Spotify, Microsoft, and the Royal Bank of Canada, and a new statement from Facebook about third-party access to Facebook messages.