Washington DC has sued Facebook for allowing the political consultancy Cambridge Analytica to gain access to the personal data of tens of millions of the site’s users without their permission.

“Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used,” the city’s attorney general, Karl Racine, said in a statement released on Wednesday.

“Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission.”

The Washington DC lawsuit comes as Facebook faces new reports that it shared its users’ data without their permission, giving the streaming giants Netflix and Spotify the ability to read and even delete users’ private messages. It also faces fresh claims that it targets users with location-based adverts even if they block the company from accessing GPS on their phones.

An investigation by the Observer and the New York Times published in March found that Cambridge Analytica, which worked for Donald Trump’s political campaign at one point, had harvested private information from the Facebook profiles of more than 50 million users without permission.

The DC attorney general said in the suit that this exposed nearly half of the district’s residents’ data to manipulation for political purposes during the 2016 presidential election, and alleges Facebook’s “lax oversight and misleading privacy settings” had allowed the consulting firm to harvest the information.

Facebook did not immediately respond to a request for comment on the lawsuit.

This week, an investigation by the New York Times found that Facebook had granted major companies far more exceptions to its privacy policies than previously known, making user data available through loopholes to companies including Amazon, Microsoft, Netflix, Spotify and Sony.

The loopholes suggest a company that was prepared to bend its own rules to keep valuable partners onside.

Facebook gave Netflix, Spotify and the Royal Bank of Canada the ability to read, write and delete users’ private messages; it gave Microsoft, Sony and Amazon the ability to obtain email addresses of their users’ friends as late as 2017; and it gave device manufacturers such as Apple the ability to build special features that plugged into the social network.

The New York Times investigation revealed that it had itself been one of the companies granted access to some of the Facebook user data.

The arrangements bypassed Facebook’s typical privacy protections, making it harder for users to determine where and how their data was being shared by using the tools Facebook had made available for that purpose.

In a statement, Facebook said: “None of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC.”

Some of the reported loopholes were more or less transparent to the end user, and may even have enabled fairer competition. For instance, an integration with Apple allowed iPhone users to link their Facebook calendars with their phone calendars, even if they had changed settings to disable all sharing. The information, Apple says, never went to its servers, instead simply sitting on the iPhone of the Facebook user, allowing them to check upcoming events without opening the Facebook app.

In other cases, Facebook appears to have granted companies far more access than they needed to build the user-focused features, and relied on trust to ensure the access wasn’t abused.

But even the companies themselves seemed surprised by the extent of the rights Facebook had given away. Apple told the Guardian it was not aware that Facebook had granted its devices any special access. Spotify, too, said it was not aware of the broad powers Facebook had handed over.

Netflix replied to the story in a tweet, saying it “never asked for, or accessed, anyone’s private messages. We’re not the type to slide into your DMs.”

Another separate investigation published this week showed Facebook targets users with location-based adverts even if they block the company from accessing GPS on their phones, turn off location history in the app, hide their work location on their profile and never use the company’s “check in” feature.

There is no combination of settings that users can enable to prevent their location data from being used by advertisers to target them, according to the privacy researcher Aleksandra Korolova. “Taken together,” Korolova says, “Facebook creates an illusion of control rather than giving actual control over location-related ad targeting, which can lead to real harm.”

Facebook said in a statement: “Facebook does not use wifi data to determine your location for ads if you have location services turned off. We do use IP and other information such as check-ins and current city from your profile. We explain this to people, including in our Privacy Basics site and on the About Facebook Ads site.”