Facebook is facing another investigation, reports revealed this week, this time allegedly over deals allowing other companies to access users' data without their consent.

According to reports from The New York Times, the social media platform allowed companies to access users' data regardless of their privacy settings. Facebook didn't outline its partnerships with Microsoft, Amazon or Apple in its privacy policy. The company did not immediately respond to request for comment.

Jim Halpert, a DLA Piper partner and co-chair of the firm's data protection, privacy and security practice, said Facebook's 2011 consent agreement with the U.S. Federal Trade Commission to reduce its data sharing makes the Menlo Park, California-based company a “unique target.”

While other companies may not face as much scrutiny, he said it's still a good idea for in-house counsel to check their privacy policies and ensure they include information about where data is shared, especially as the California Consumer Privacy Act's 2020 implementation approaches. U.S. companies processing European Union residents' data already must comply with the General Data Protection Regulation.

“You need to be transparent about it. But also, preparing for the [CCPA], it will be important to map and understand those information sharing arrangements,” he said. “Under GDPR, there are sharp restrictions on sharing EU subject data with third parties.”

Under some data protection laws, including GDPR, companies are also required to ensure third parties accessing user data are secure and compliant.

Sandra Jeskie, a partner at Duane Morris, said outside of the CCPA, the U.S. still doesn't have many laws limiting companies' ability to share user data or outlining requirements for privacy policies. But that is likely to change, she added, as federal legislators debate a national data protection law. Many states are in the process of creating their own legislation.

“People have seen GDPR, they're now seeing [CCPA], and of course there's been some very significant, high-profile data breaches of information,” Jeskie said. “Certainly, legislators are much more cognizant of the privacy protections, and I think we're starting to see a change in the U.S. consumer version of what information should be protected and not. We're seeing some momentum for a national privacy law.”

To comply with the CCPA and GDPR and keep consumer trust, companies should outline in detail their privacy practices. Jeskie and Halpert said some companies treat privacy policies more like a short media statement than a source of in-depth information for consumers.

As legislators and consumers grow more aware of potential cyber risks, it's important for companies to understand what user data they're collecting, why they're collecting it and how they're sharing and storing it, Jeskie said, so they're able to share that information with users.

She noted privacy policies may change over time as the company launches new products and features. Customers need to be notified when that happens.

“In the [CCPA], in the privacy policy itself it's required that you have to describe the process by which you're going to notify consumers, to the extent that they have material change to the privacy policy,” Jeskie said. “So if you're doing something that is different, sharing additional information … when you have those kinds of changes, you really need to make sure that you present that notification.”

Read More: