What it failed to declare, however, was that the 60 companies it had made a deal with were exempt from such policies, retaining their ability to access the data of users' friends without consent.
"What we have been trying to determine is whether Facebook has knowingly handed over user data elsewhere without explicit consent", Elisabeth Winkelmeier-Becker, one of the German lawmakers who questioned Facebook in April, told the paper.
Who still has access and why?
Facebook quickly rebutted the Times' story in an official blog posting yesterday, stating that such device-specific access was necessary a decade ago when feature phones dominated the market and smartphones had just become available.
Last month, a triplet was born: it emerged that yet another popular Facebook personality app used as a research tool by academics and companies - myPersonality - fumbled the data of three million Facebook users, including their answers to intimate questionnaires.
What does that software do with the data?
The social media giant says that they have ended 22 of these deals and are working to wind down more of them due to a decreased reliance on these private APIs.
Vladeck said the additional penalties could include a court-ordered monitor of Facebook's business practices, injunctions against particular ways of using of consumers' data or heightened monitoring by the FTC. Facebook couldn't develop its own mobile apps for these devices because there would have been no way to get them onto the phones.
Michelle De Mooy, director of the Center for Democracy and Technology's Privacy and Data Project, told Threatpost that the incident once again undermines trust in the data ecosystem and highlights the misalignment between Facebook's understanding of reasonable data-sharing and its users' understanding. The potential for additional infractions may only compound Facebook's legal woes.
The New York Times reports that device makers were able to access data of users' friends, such as relationship status, religion, and political leaning.
The Cambridge Analytica scandal already led the FTC to investigate whether Facebook broke this settlement.
On the other hand, saying "We created these APIs to fill a public need", isn't exactly refuting the notion that these APIs shared more than the usual amount of private data with companies.
"Sure looks like Zuckerberg lied to Congress about whether users have "complete control" over who sees our data on Facebook", Cicilline, the ranking member of the House Judiciary antitrust committee, said in a tweet. But the company has disputed parts of the New York Times' report, and says the situation is very different from the Cambridge Analytica scandal. Usually collected when users log into their accounts through the Facebook app. "All these partnerships were built on a common interest - the desire for people to be able to use Facebook whatever their device or operating system".