Facebook's woes mounted Wednesday as it faced a lawsuit alleging privacy violations related to data leaked to a consultancy working on Donald Trump's 2016 campaign, and as a new report suggested it shared more data with partners than it has acknowledged.
Facebook shares already sagging under the weight of the social network's troubles ended the trading day down 7.25 percent to $133.24 and slipped even lower in after-market trades.
The suit filed by the attorney general for the US capital Washington is likely the first by an official US body that could impose consequences on the world's leading social network for data misuse.
"Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used," said Attorney General Karl Racine in a statement.
"Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users' permission. Today's lawsuit is about making Facebook live up to its promise to protect its users' privacy."
The suit filed in Superior Court in Washington seeks an injunction "to ensure Facebook puts in place protocols and safeguards to monitor users' data and to make it easier for users to control their privacy settings," and demands "restitution" for consumers.
Facebook said: "We're reviewing the complaint and look forward to continuing our discussions with attorneys general in DC and elsewhere."
The social network has admitted that up to 87 million users may have had their data hijacked by Cambridge Analytica, which shut down weeks after the news emerged on its handling of private user information.
A whistleblower at the consultancy, which worked on Trump's presidential campaign, said it used Facebook data to develop profiles of users who were targeted with personalised messages that could have played on their fears.
The scandal has triggered a series of investigations and broad review by Facebook on how it shares user data with third parties.
SHARING WITH 150 PARTNERS
The New York Times reported that some 150 companies -- including powerful partners like Amazon, Microsoft, Netflix and Spotify -- could access detailed information about Facebook users, including data about their friends.
According to documents seen by the Times, Facebook allowed Microsoft's Bing search engine to see names of Facebook users' friends without consent and gave Netflix and Spotify the ability to read private messages.
The report said Amazon was able to obtain user names and contact information through their friends, and Yahoo could view streams of friends' posts.
While some of the deals date back as far as 2010, the Times said they remained active as late as 2017 -- and some were still in effect this year.
"It appears that Facebook has not been honest with Congress or the public about how it treats its users' data," Congressman Frank Pallone, a Democrat, said in a tweet.
Facebook's head of developer platforms and programs, Konstantinos Papamiltiadis, said in a blog post that the Times report referred to partnerships that enabled "social experiences -- like seeing recommendations from their Facebook friends -- on other popular apps and websites."
None of those partnerships or features "gave companies access to information without people's permission," he said, adding that the deals did not violate a 2012 privacy settlement with the US Federal Trade Commission.
Papamiltiadis said, however, that "we've been public about these features and partnerships over the years because we wanted people to actually use them."
But he said most of the features are now gone.
Netflix said that the feature was used to make the streaming service "more social" by allowing users to make recommendations to friends, but that it stopped using it in 2015.
"At no time did we access people's private messages on Facebook or ask for the ability to do so," Netflix said in a statement.
Spotify offered a similar response, indicating the music service "cannot read users' private Facebook inbox messages across any of our current integrations."
The Canadian bank RBC, also cited in The New York Times, said the deal with Facebook "was limited to the development of a service that enabled clients to facilitate payment transactions to their Facebook friends," and that it was discontinued in 2015.
Senator Brian Schatz said the latest revelations highlight a need for tougher controls on how tech companies handle user data.
"It has never been more clear," Schatz tweeted. "We need a federal privacy law. They are never going to volunteer to do the right thing."