One of Facebook's independent child safety advisers has criticised the firm over a scheme that gave it access to teenagers' highly personal information, without taking more effort to verify their parents had given permission.
But tests by the BBC and others suggested youngsters could easily sign up without getting permission.
Stephen Balkam said Facebook's "rather lax approach" was very worrying.
Facebook is still carrying out the "market research" on Android devices.
But it ended the effort on iPhones because it broke Apple's rules.
"Facebook Atlas is a questionable programme on a number of fronts," said Mr Balkam, chief executive of the Family Online Safety Institute and a member of Facebook's Safety Advisory Board.
"Most concerning is the rather lax approach to getting verifiable parental consent for the teens who participated.
"Given the tech backlash in general and the intense focus on Facebook's privacy policies, this is most unfortunate."
The existence of the scheme was revealed on Wednesday after an investigation by the TechCrunch news site.
It said the app involved had the potential to provide Facebook with "nearly limitless access" to a user's device, including:
- the contents of private messages in chat apps including photos and videos
- web browsing activity
- logs of what apps were installed, and when they were used
- a location history of where the owner had physically been
- data usage
Participants were told to keep the existence of the scheme and their involvement in it "confidential", and in return would earn $20 (£15.30) of gift tokens a month.
Only volunteers based in the US and India were targeted.
But the EU's leading data protection watchdog has shown an interest.
"The Irish Data Protection Commission became aware of this story through yesterday's media reporting," said a statement for the regulator.
"Before we can make any assessment as to whether or not there are any data protection concerns, we will need to understand better to what extent, how and on what basis the personal data in question is being processed and used.
"We have asked Facebook to provide us with this information."
Part of the issue is that the social network may have copied messages and images sent to the volunteers from their friends, who would not have known of the scheme's existence.
The BBC has asked Facebook whether this was the case, but a spokeswoman was unable to provide further detail.
It has also emerged that Google ran a similar data collection scheme involving an iOS app called Screenwise Meter.
Like Facebook, it circumvented Apple's rules by offering the app to consumers via "enterprise certificates", which are supposed to be reserved for providing software to staff or other limited instances.
Google's programme had been in existence since 2012 but has now been pulled.
"The Screenwise Meter iOS app should not have operated under Apple's developer enterprise program - this was a mistake, and we apologise," it said in a statement to TechCrunch.
"We've been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the programme at any time."
Unlike Facebook's scheme, Google only signed up under-18s if they were part of a family group involving adults from the same household.
However, TechCrunch said it was once open to users as young as 13 without this caveat.
It is not known whether Apple plans to take any retaliatory action against the search firm.
However, the iPhone-maker did revoke Facebook's enterprise certificates on Wednesday.
That caused the social network's iOS test apps to stop working as well as other iPhone software it offered exclusively to staff, including a workplace chat app and an app to summon transport.
Facebook is seeking to convince Apple to reverse the punishment.