Mark ZuckerbergCEO of Facebook Mark Zuckerberg, Washington, USA - 09 Apr 2018CEO of Facebook Mark Zuckerberg (C) is surrounded by Capitol Police officers as he walks down a hallway to the office of Democratic Senator from California Dianne Feinstein, on Capitol Hill in Washington, DC, USA, 09 April 2018. Zuckerberg is meeting with lawmakers before testifying in two Congressional hearings this week regarding Facebook allowing third-party applications to collect the data of its users without their permission, and for the company's response to Russian interference in the 2016 US presidential election.

Facebook’s trove of user data may have spread out further than people—and possibly even the company itself—realized.

On Monday, a New York Times investigation revealed that, thanks to Facebook’s data deals, as many as 150 partner companies had deeper access to user information than people were aware of. Even worse, in some cases, the social media giant reportedly left the door swinging open for years after it was supposed to have sealed off access.

According to the report, which covers interviews with former employees and more than 270 pages of internal documents, the amount of personal information at stake went rather deep, depending on the deal. The data called out ranged from users’ names, friends’ names and friends’ public profiles to much more personal content, such as contact information, calendar events and Facebook messages. Some of the most glaring issues appear to involve persistent access, even after users revoked permissions or the deals expired. And other arrangements are still ongoing today.

In all, the recipients number as many as 150 partners over the last 10 years, including major tech companies, retailers and others. Data-sharing partners called out were Amazon, Apple, Spotify, Netflix, Microsoft and the Royal Bank of Canada, which look to be exempt from Facebook’s typical privacy rules.

Some partners, like Apple, claimed to be unaware of the situation—though it seems unconcerned, saying that any such data wouldn’t leave its iPhones anyway. Meanwhile others, such as Amazon, said there was nothing to see here.

In a blog post published late Tuesday, Facebook stopped short of a full-throated denial of the accusations, taking aim at some parts of the report while admitting to others.

In one section, Konstantinos Papamiltiadis, director of developer platforms and programs, wrote, “None of those arrangements or partnerships or features gave companies access to information without users’ permission.”

In another, the post addressed one of the more sensitive claims: “Did partners get access to messages? Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature.” Papamiltiadis used Spotify as an example: “After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.”

On their own, data-sharing integrations aren’t bad things. They enable services to talk to one another, and allow companies to offer social sharing, logins, recommendations and other features without having to build them from scratch or collect all that data themselves. The problem is when the practices aren’t transparent, the processes aren’t policed and users aren’t properly informed of who sees their information or how it’s being used.

This seems to be a recurring theme for Facebook scandals. After a year of heavy scrutiny over its data practices, privacy policies and security efforts, this latest revelation puts the company once more in a deeply awkward position over the same matters. And it may even drive the company into legally dicey territory.

A 2012 agreement with the Federal Trade Commission prohibited the social media company from sharing user data without express consent. While U.S. officials ponder whether Facebook broke the agreement, the U.K.’s Digital, Culture, Media and Sport Committee isn’t wasting any time: The DCMS, which has grilled the company over its privacy practices numerous times, now wants to haul it back in front of the committee and launch an investigation.

“I feel that we have been given misleading responses by the company when we have asked these questions during previous evidence sessions,” DCMS chair Damian Collins MP said in a prepared statement.

The erosion of user trust this year has been steep, and it’s poised to slide further still. That likelihood should be on the radar of every retailer that deals in user data or partners with data-driven platforms — which is practically every tech company these days.

The main question dogging the sector now is whether Congress will take steps toward oversight and regulation. Once that threshold is reached, the reverberations will surely ripple out to the retail industry.

At this point, all eyes will be on how Facebook will handle this episode and others.

On Wednesday, the Washington, D.C., attorney general sued the company in a local court over the Cambridge Analytica scandal, alleging that it failed to protect user data violating the D.C. Consumer Protection Procedures Act. According to Attorney General Karl A. Racine, the platform “exposed nearly half of all District residents’ data to manipulation for political purposes during the 2016 election.”