A look at the claims:
FACEBOOK: "To be clear: none of these partnerships or features gave companies access to information without people's permission." - from a blog post late on Tuesday by Konstantinos Papamiltiadis, the company's director of developer platforms.
THE FACTS: In this case, the company says that its "integration partners" - such as Amazon, BlackBerry or Microsoft - had to get authorisation from people to turn on these features. Users would have done this by using their Facebook account to log in to the other services, which, technically, counted as giving permission. But people may not have realised just what they were granting permission for.
In addition, according to the Times report, Facebook from its early days formed key data-sharing partnerships with companies, sometimes giving them special access to data - without asking for users' permission.
For example, according to the report, the company used contact lists from "partners" such as Amazon, Yahoo and China's Huawei to suggest potential Facebook friends to users.
Facebook argues that its partners are essentially an extension of itself, as service providers, and thus they don't need to get permission from users as long as they limit data use to providing Facebook-related services.
In all, the report says, more than 150 companies benefited from Facebook's data-sharing practices. While most were technology companies, there were also automakers and media organisations. Some, the Times notes, were still in effect this year.
The permissions issue came up earlier this year, when Facebook was found to have been collecting call and text histories from Android users.
The company said at the time that it got permission from users to do this. Nonetheless, many users, including the New Zealand man who discovered the practice after downloading his Facebook data in March, were surprised that the company was logging this data.
According to internal emails made public as part of a lawsuit , the company was aware that the Android data collection could look bad.
A product manager, Michael LeBeau, wrote in a February 2015 email that the permissions feature - which prompted users to grant access to call logs and text-message history - is "a pretty high-risk thing to do from a PR perspective". But, he added, "the growth team will charge ahead and do it."
FACEBOOK: "Nor did they violate our 2012 settlement with the FTC," or Federal Trade Commission. - from the same blog post.
THE FACTS: As part of the settlement, Facebook is required to obtain people's "affirmative express consent" before making changes that override their privacy preferences. This could apply to sharing the content of private messages, friends' lists and other information that Facebook gave its partners access to.
Thus, Facebook's assertion that most of its data-sharing partnerships were exempted is on shaky ground.
The FTC's former chief technologist, Ashkan Soltani, and three former employees of its consumer protection division told the Times that the data-sharing deals probably violated the agreement.
One said the partnerships seemed to give third parties permission to harvest data without users being informed of it or giving consent.
Facebook argues that it subjected those partners to its own rules about data use. But the Times report raises questions about how well Facebook managed those partners' access.
The matter could ultimately be decided by the FTC. The agency said in March it was looking into whether Facebook engaged in unfair acts that might have violated the decree.