Facebook knew Cambridge Analytica was mishandling user data two-and-a-half years ago, COO Sheryl Sandberg told NBC.
But when the company discovered the problem, execs relied on CA's assurances that they had deleted the data.
The company could have done an audit, but did not, she said.
"To this day, we still don’t know what data Cambridge Analytica have," she told the Financial Times. "We made mistakes and I own them and they are on me."
Facebook COO Sheryl Sandberg told NBC's Today show that the company knew Cambridge Analytica had mishandled users' data two-and-a-half years ago, but failed to check any further after CA assured them the data had been deleted.
Had Facebook audited CA's data holdings, Facebook could have prevented the privacy scandal that has derailed the company, Sandberg told Today's Savannah Guthrie.
CA is under investigation in both the US and the UK for the way it harvested 87 million users' data from Facebook and then used that to target voters on behalf of President Trump's election campaign in the US and the Brexit referendum in the UK.
When asked why Facebook didn't check what was going on with CA when it first learned that it was abusing user data back in 2016, Sandberg told Guthrie: "You are right we could have done this two-and-a-half years ago ... We thought the data had been deleted and we should have checked."
"We thought it had been deleted because they gave us assurances, and it wasn't until other people told us it wasn't true but ... we had legal assurances from them that they deleted. But what we didn't do was the next step of an audit and we're trying to do that now."
Sandberg also said, in a different interview, that Facebook cannot conduct such an audit because it must wait for the UK information commissioner to finishes its investigation of CA's election activity. "To this day, we still don’t know what data Cambridge Analytica have," she told the Financial Times.
Sandberg, like CEO Mark Zuckerberg, has been doing a media apology tour for the company's failings. "We made mistakes and I own them and they are on me," she told the FT.
"There are operational things that we need to change in this company and we are changing them ... We have to learn from our mistakes and we need to take action," she said.
She also revealed that Facebook would introduce in America similar privacy standards to those that will be enforced in Europe later this year under the EU's new General Data Protection Regulation (GDPR) and ePrivacy laws.
The two laws require companies get affirmative opt-in permission from every user for every piece of data any company keeps or processes.
The permission process will come as a shock to Facebook users because it will force Facebook to tell them exactly what data it holds on them and who it shares that data with; and it will force users to examine whether they want that level of information sharing to continue.
"Europe was ahead on this," she told the FT.
Most observers expect a measurable reduction in user sharing and engagement to occur once the new rules come into effect.