A new investigative report from The Wall Street Journal today looks into the controversial practice of popular third-party iOS and Android apps sending very personal user data to Facebook. In some cases, this happened immediately after an app recorded new data, even if the user wasn’t logged into Facebook or wasn’t a Facebook user at all. Notably, the report highlights that Apple and Google don’t require apps to divulge all the partners that user data is shared with.

WSJ noted how we share some of the most intimate details of our lives with apps.

Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users’ body weight, blood pressure, menstrual cycles or pregnancy status.

What the investigative report discovered was that Facebook purchases this personal data from apps, and in many cases has access to it as soon as new data is recorded. Further, this happens even when users aren’t logged in to Facebook or don’t even have an account.

The social-media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it, even if the user has no connection to Facebook, according to testing done by The Wall Street Journal. The apps often send the data without any prominent or specific disclosure, the testing showed.

WSJ notes that many of Facebook’s controversial user tracking strategies have been uncovered over the last couple of years, but this investigation uncovered even more concerning details, like what in-app data 11 popular apps are sharing with Facebook.

It is already known that many smartphone apps send information to Facebook about when users open them, and sometimes what they do inside. Previously unreported is how at least 11 popular apps, totaling tens of millions of downloads, have also been sharing sensitive data entered by users. The findings alarmed some privacy experts who reviewed the Journal’s testing.

The tricky part for users is that iOS and Android apps aren’t required by Apple and Google to disclose all of the partners that have access to your data. What’s more, with the apps tested, there was no clear way to prevent them from sending data to Facebook.

Some of the example’s include heart rate app, Instant Heart Rate: HR Monitor, Flo a period and ovulation tracker, and Realtor.com’s app.

In the Journal’s testing, Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple’s iOS, made by California-based Azumio Inc., sent a user’s heart rate to Facebook immediately after it was recorded. Flo Health Inc.’s Flo Period & Ovulation Tracker, which claims 25 million active users, told Facebook when a user was having her period or informed the app of an intention to get pregnant, the tests showed. Real-estate app Realtor.com, owned by Move Inc., a subsidiary of Wall Street Journal parentNews Corp , sent the social network the location and price of listings that a user viewed, noting which ones were marked as favorites, the tests showed.

Even when users aren’t logged into Facebook, the company can often match up personal data from third-party apps to users once it receives the data.

Here’s how this process works:

As for Facebook, it says it uses this data to “personalize ads and content on Facebook and to conduct market research, among other things.”

Apple told the WSJ it requires user consent to collect data, but as the report points out, users don’t know where the data is going.

Apple said its guidelines require apps to seek “prior user consent” for collecting user data and take steps to prevent unauthorized access by third parties. “When we hear of any developer violating these strict privacy terms and guidelines, we quickly investigate and, if necessary, take immediate action,” the company said.

Google gave a more vague statement:

A Google spokesman declined to comment beyond pointing to the company’s policy requiring apps that handle sensitive data to “disclose the type of parties to which any personal or sensitive user data is shared,” and in some cases to do so prominently.

What do you think? Should Apple do more to protect user privacy in apps? Or does the responsibility land on app developers? Share your thoughts in the comments below!

Read the full investigative report here.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news: