Facebook gave Netflix and Spotify the ability to read and even delete users’ private messages, a new investigation has revealed.

The social media giant granted major companies far more exceptions to its privacy policies than previously known, making user data available through loopholes to companies including Amazon, Microsoft and Sony.

The loopholes, reported by the New York Times, suggest a company that was prepared to bend its own rules to keep valuable partners onside.

Facebook gave Netflix, Spotify and the Royal Bank of Canada the ability to read, write and delete users’ private messages; it gave Microsoft, Sony and Amazon the ability to obtain email addresses of their users’ friends as late as 2017; and it gave device manufacturers such as Apple the ability to build special features that plugged into the social network.

The New York Times investigation revealed that it had itself been one of the companies granted access to some of the Facebook user data.

The arrangements bypassed Facebook’s typical privacy protections, making it harder for users to determine where and how their data was being shared by using the tools Facebook had made available for that purpose.

In a statement, Facebook said: “None of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC.”

Some of the reported loopholes were more or less transparent to the end user, and may even have enabled fairer competition. For instance, an integration with Apple allowed iPhone users to link their Facebook calendars with their phone calendars, even if they had changed settings to disable all sharing. The information, Apple says, never went to its servers, instead simply sitting on the iPhone of the Facebook user, allowing them to check upcoming events without opening the Facebook app.

In other cases, Facebook appears to have granted companies far more access than they needed to build the user-focused features, and relied on trust to ensure the access wasn’t abused. Spotify, Netflix and the Royal Bank of Canada, for instance, were granted access to read, write and delete private messages on the Facebook platform. That access was granted to allow the companies to build their own unique implementations of a private message feature, allowing users to, for instance, send a Facebook message linking to a song.

But even the companies themselves seemed surprised by the extent of the rights Facebook had given away. Apple told the Guardian it was not aware that Facebook had granted its devices any special access. Spotify, too, said it was not aware of the broad powers Facebook had handed over.

Netflix replied to the story in a tweet, saying that it “never asked for, or accessed, anyone’s private messages. We’re not the type to slide into your DMs.”

Damian Collins, the chair of the UK’s DCMS committee, said the news “shows that Facebook offers preferential access to user data to some of its major corporate partners. The scale of the business these companies do with Facebook underpins the value of their relationship. Facebook rewards these firms with data privileges that other organisations do not enjoy.”

Collins’ parliamentary committee had previously revealed similar arrangements after obtaining internal Facebook emails that showed the company considering special access for partners including Tinder and the Royal Bank of Canada.

“We have to seriously challenge the claim by Facebook that they are not selling user data,” he added. “They may not be letting people take it away by the bucket-load, but they do reward companies with access to data that others are denied, if they place a high value on the business they do together. This is just another form of selling.

“We remain concerned as well about Facebook’s ability to police what happens to user data when it is shared with developers, as was highlighted by the Cambridge Analytica data breach.”

In its statement, Facebook listed a number of ways that it said companies used the special access they were given:

Apps that allowed people to access their Facebook account on their Windows Phone device.

Notifications about their activity on Facebook that they could turn on while they were using Safari or other browsers.

“Social hubs” that consolidated their feeds across Facebook, Twitter, and other services.

Messaging integrations that allowed people to recommend things like songs from Spotify to friends.

Search results in Bing and elsewhere based on public information their friends shared.

Tools that helped them find friends on Facebook by uploading their contacts from email providers like Yahoo.

The social network also highlighted, however, that “most of these features are now gone. We shut down instant personalisation, which powered Bing’s features, in 2014 and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognise that we’ve needed tighter management over how partners and developers can access information using our APIs.”

Facebook also emphasised that the partnerships all required consent from users, generally through signing in to Facebook in the target app.

Alex Stamos, a security researcher at Stanford university, and formerly Facebook’s chief information security officer, argued that some integrations of the kind revealed could be good for users, but that it was unclear which were or weren’t.

“Allowing for 3rd party clients is the kind of pro-competition move we want to see from dominant platforms,” Stamos tweeted on Tuesday evening. “For ex, making Gmail only accessible to Android and the Gmail app would be horrible. For the NY Times to try to scandalize this kind of integration is wrong.

“But integrations that are sneaky or send secret data to servers controlled by others really is wrong.”

Most developers have to build Facebook integration through a standardised set of tools, limiting what they can do with user data, and providing an easier route for users to assess requests, approve or reject them, and periodically check which third-parties have access to their information.