Social Media and Your Privacy Rights

Facebook's Cambridge Analytica scandal highlights the need for additional privacy laws.

By , Attorney · University of Denver Sturm College of Law

Legal Update: Facebook users with an active account between May 2007 and December 2022 can apply for some of its parent company Meta's $725 million settlement related to the Cambridge Analytica scandal. How much you can get depends on how many class members submit valid claims and how long you were a user on Facebook during the relevant time frame. To file a claim, you can fill out a form and submit it online, or print it out and mail it. If you submit a claim through the mail, your claim form must be postmarked by August 25, 2023. If you submit your claim online, the deadline is 11:59 p.m. PDT on August 25, 2023. Go to the official settlement website to learn more and submit a claim.

Facebook and other social media websites collect data you voluntarily supply, like your age, employer, relationship status, and where you live. These sites also often track what other places you visit online and what apps you use. The sites then use that information to sell advertisements. This practice sounds relatively harmless.

But in March 2018, it came out that a political data firm, Cambridge Analytica, improperly harvested and used 87 million Facebook users' personal data. Following this incident, the way Facebook and other websites treat personal information has been under increasing scrutiny.

In response to the scandal, Facebook said it was simplifying and centralizing its privacy settings to make it easier for users to change how much personal information they share. But can users rely on internet companies to self-regulate privacy protections? Most experts think not.

So, a regulatory crackdown at the federal and state levels regarding online privacy is looking more likely and necessary.

Contract Law Typically Determines Your Privacy Rights

Currently, posted privacy policies rather than specific federal or state laws typically determine your privacy rights concerning the personal data that Internet-based companies collect on you. Facebook, for instance, has a privacy policy stating what it can and can't do with your information. To use the site, you must agree to the privacy policy terms.

Following the Cambridge Analytica debacle, Facebook CEO Mark Zuckerberg admitted to House and Senate lawmakers in April 2018 that Facebook hadn't done enough to protect the privacy of its 2.2 billion users' data. He also promised that the company is now committed to safeguarding people's data. But rather than relying on Internet companies to police themselves, the public is starting to demand that lawmakers introduce—and pass—laws that address Internet privacy.

No National Privacy Law—Yet

On April 10, 2018, around the time that Zuckerberg talked to House and Senate lawmakers about data privacy issues, two Democratic senators, Ed Markey (Massachusetts) and Richard Blumenthal (Connecticut), introduced a bill that would protect Americans' personal information from such privacy breaches. The proposed law was called the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act.


The CONSENT Act (S. 2639) was designed to be a privacy bill of rights. It would require the Federal Trade Commission to establish basic protections for the customers of online providers like Facebook and Google.

If passed, the legislation would have require providers to:

  • notify users about the collection, use, and sharing of their personal information
  • obtain opt-in consent from users before the company could use, share, or sell users' personal information
  • develop reasonable data security practices, and
  • notify users when breaches of their data happen.

On April 10, 2018, the bill was referred to the Committee on Commerce, Science, and Transportation, where it lingered and died in 2018.

Other Federal Legislation Introduced

On April 12, 2018, Senators Amy Klobuchar (D-Minnesota) and John Kennedy (R-Louisiana) announced a plan to introduce a similar bill designed to protect the privacy of consumers' online data. And on January 17, 2019, they introduced the Social Media Privacy and Consumer Rights Act (SB 189), bipartisan legislation that would protect the privacy of consumers' online data.

Also, two other bills that addressed online privacy were pending before the Subcommittee on Digital Commerce and Consumer Protection in the House Committee on Energy and Commerce:

Unfortunately, none of the proposed laws discussed here passed. If you're concerned about privacy laws and your online data, advocate that Congress pass laws to protect you.

State Privacy Laws

A few states, like Illinois and California for example, have laws addressing privacy, while in others privacy laws are being proposed.

Biometric Privacy Law in Illinois

Social media websites often collect biometric facial data, usually for photo tagging. In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA). This law requires companies to:

  • ask permission before collecting biometric data
  • list the reason and length of time a person's data will be stored, and
  • include those details in a written biometric privacy policy. (740 Ill. Comp. Stat. § 14/15).

The law also allows consumers to sue companies that don't comply with these requirements, which has led to numerous lawsuits, including suits against Facebook.

California Consumer Privacy Act

As of January 1, 2020, the California Consumer Privacy Act gives Californians the right:

  • to learn what personal information a business collects about them
  • to request deletion of personal information, and
  • to opt out of the sale of their personal information without affecting the services they receive. (Cal. Civ. Code § 1798.100 and following).

The law also imposes penalties on companies that don't comply with the law.

What You Can Do

Again, if you're concerned about privacy laws and your online data, advocate that Congress—and your state legislature—pass laws to protect you. Also, read the privacy settings for each social networking and other websites you use, and make all your pages as private as possible.

Remember that you don't have to give all your personal information in your social media profiles—so don't—and don't blindly accept privacy policies without reading them. If you don't agree with a policy, don't accept it.

Talk to a Lawyer

Need a lawyer? Start here.

How it Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you
Get Professional Help

Talk to a Consumer Protection attorney.

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you