Social Media and Your Privacy Rights

Facebook's Cambridge Analytica scandal highlights the need for additional privacy laws.

Legal Update: Facebook users with an active account between May 2007 and December 2022 can apply for some of its parent company Meta's $725 million settlement related to the Cambridge Analytica scandal. How much you can get depends on how many class members submit valid claims and how long you were a user on Facebook during the relevant time frame. To file a claim, you can fill out a form and submit it online, or print it out and mail it. If you submit a claim through the mail, your claim form must be postmarked by August 25, 2023. If you submit your claim online, the deadline is 11:59 p.m. PDT on August 25, 2023. Go to the official settlement website to learn more and submit a claim.

Facebook and other social media websites collect data you voluntarily supply, like your age, employer, relationship status, and where you live. These sites also often track what other places you visit online and what apps you use. The sites then use that information to sell advertisements. This practice sounds relatively harmless.

But in March 2018, it came out that a political data firm, Cambridge Analytica, improperly harvested and used 87 million Facebook users' personal data. Following this incident, the way Facebook and other websites treat personal information has been under increasing scrutiny.

In response to the scandal, Facebook said it was simplifying and centralizing its privacy settings to make it easier for users to change how much personal information they share. But can users rely on internet companies to self-regulate privacy protections? Most experts think not.

So, a regulatory crackdown at the federal and state levels regarding online privacy is looking more likely and necessary.

Contract Law Typically Determines Your Privacy Rights

Currently, posted privacy policies rather than specific federal or state laws typically determine your privacy rights concerning the personal data that Internet-based companies collect on you. Facebook, for instance, has a privacy policy stating what it can and can't do with your information. To use the site, you must agree to the privacy policy terms.

Following the Cambridge Analytica debacle, Facebook CEO Mark Zuckerberg admitted to House and Senate lawmakers in April 2018 that Facebook hadn't done enough to protect the privacy of its 2.2 billion users' data. He also promised that the company is now committed to safeguarding people's data. But rather than relying on Internet companies to police themselves, the public is starting to demand that lawmakers introduce—and pass—laws that address Internet privacy.

No National Privacy Law—Yet

On April 10, 2018, around the time that Zuckerberg talked to House and Senate lawmakers about data privacy issues, two Democratic senators, Ed Markey (Massachusetts) and Richard Blumenthal (Connecticut), introduced a bill that would protect Americans' personal information from such privacy breaches. The proposed law is called the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act.

The CONSENT Act

The CONSENT Act (S. 2639) is designed to be a privacy bill of rights. It would require the Federal Trade Commission to establish basic protections for the customers of online providers like Facebook and Google.

If passed, the legislation would require providers to:

notify users about the collection, use, and sharing of their personal information
obtain opt-in consent from users before the company could use, share, or sell users' personal information
develop reasonable data security practices, and
notify users when breaches of their data happen.

On April 10, 2018, the bill was referred to the Committee on Commerce, Science, and Transportation. To keep tabs on this bill's progress (actually, lack thereof), go to Congress.gov, the official website for U.S. federal legislative information.

Other Possible Federal Legislation

On April 12, 2018, Senators Amy Klobuchar (D-Minnesota) and John Kennedy (R-Louisiana) announced a plan to introduce a similar bill designed to protect the privacy of consumers' online data. And on January 17, 2019, they introduced the Social Media Privacy and Consumer Rights Act (SB 189), bipartisan legislation that would protect the privacy of consumers' online data.

Also, two other bills that address online privacy are pending before the Subcommittee on Digital Commerce and Consumer Protection in the House Committee on Energy and Commerce:

The Balancing the Rights of Web Surfers Equally and Responsibly (BROWSER) Act of 2017 would authorize the FTC to enforce certain privacy protections, like requiring opt-in consent before a company could use customers' sensitive information.
The Secure and Protect Americans' Data Act would require providers to reasonably secure customers' personal information, as well as notify customers after a data breach.

Unfortunately, none of the proposed laws discussed here have passed and are hung up in committee. If you're concerned about privacy laws and your online data, advocate that Congress pass laws to protect you.

State Privacy Laws

A few states, like Illinois and California for example, have laws addressing privacy, while in others privacy laws are being proposed.

Biometric Privacy Law in Illinois

Social media websites often collect biometric facial data, usually for photo tagging. In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA). This law requires companies to:

ask permission before collecting biometric data
list the reason and length of time a person's data will be stored, and
include those details in a written biometric privacy policy. (740 Ill. Comp. Stat. § 14/15).

The law also allows consumers to sue companies that don't comply with these requirements, which has led to numerous lawsuits, including suits against Facebook.

California Consumer Privacy Act

As of January 1, 2020, the California Consumer Privacy Act gives Californians the right:

to learn what personal information a business collects about them
to request deletion of personal information, and
to opt out of the sale of their personal information without affecting the services they receive. (Cal. Civ. Code § 1798.100 and following).

The law also imposes penalties on companies that don't comply with the law.

What You Can Do

Again, if you're concerned about privacy laws and your online data, advocate that Congress—and your state legislature—pass laws to protect you. Also, read the privacy settings for each social networking and other websites you use, and make all your pages as private as possible.

Remember that you don't have to give all your personal information in your social media profiles—so don't—and don't blindly accept privacy policies without reading them. If you don't agree with a policy, don't accept it.

Talk to a Lawyer

Need a lawyer? Start here.

Practice Area

Zip Code

How it Works

Briefly tell us about your case
Provide your contact information
Choose attorneys to contact you

Get Professional Help

Talk to a Consumer Protection attorney.

How It Works

Briefly tell us about your case
Provide your contact information
Choose attorneys to contact you

Copyright ©2023 MH Sub I, LLC dba Nolo ® Self-help services may not be permitted in all states. The information provided on this site is not legal advice, does not constitute a lawyer referral service, and no attorney-client or confidential relationship is or will be formed by use of the site. The attorney listings on this site are paid attorney advertising. In some states, the information on this website may be considered a lawyer referral service. Please reference the Terms of Use and the Supplemental Terms for specific information related to your state. Your use of this website constitutes acceptance of the Terms of Use, Supplemental Terms, Privacy Policy and Cookie Policy. Do Not Sell or Share My Personal Information