Protecting Consumers’ Right to Privacy Online

Posted by Joe Sayas | Feb 25, 2022 | 0 Comments

In 2010, Facebook instituted an update to its site called "Open Graph,” which introduced Facebook users to a "Like" button that they could click to show to their networks their interests and activities anywhere on the internet. When users updated to Open Graph, this allowed Facebook to gather data about their online activities, including what sites they visited and items they viewed or bought. Facebook tracked all these information even if the user actually did not click the “Like” button or even knew it was there.        

At that time, Facebook said it would not collect a user's private data or activities on partner websites while they were logged out of Facebook. However, it was uncovered that it continued to collect users' private data and internet activities even after logging out. When this issue became news in 2011, Facebook, at first, defended its practice and denied any wrongdoing. Later, it issued a “fix” and explained its policies.

In 2012, twenty-one (21) separate class-action lawsuits for breach of contract and related claims were filed against Facebook in several states. All these cases were later consolidated in California federal court, which dismissed the entire action in November 2017. However, after a successful appeal from the class of users, the Court of Appeal revived parts of the class claims in April 2020. The Court of Appeal ruled that Facebook users had asserted concrete privacy harms. The Supreme Court declined to hear Facebook's appeals. The whole legal battle dragged on for 10 years.

Then, on February 15, 2022, the parties announced a settlement. Facebook agreed to pay $90 million to US Facebook users who had an account between April 22, 2010 and September 26, 2011, and who visited non-Facebook websites that displayed the "Like" button. It also agreed to “sequester and delete” any “wrongfully collected” user data it gathered through this practice.  [The case is In re: Facebook Internet Tracking Litigation, Case No. 5:12-md-02314, in the U.S. District Court for the Northern District of California.]

The information landscape is vastly different in today's world of “cookies” (you cannot eat!) and “algorithms.” In the face of these changes, legislation was enacted to address privacy protection. For instance, the California Consumer Privacy Act of 2018 (CCPA) gives consumers specific rights regarding their personal information that are collected by businesses. This law essentially codifies new privacy rights for California consumers, specifically the following:

  • The right to know about the personal information a business collects about them and their children, how the information is used, and to whom else the information will be shared;
  • The right to delete or limit the use of personal or sensitive information collected from them;
  • The right to opt-out of the sale of their personal information; and
  • The right not to be penalized or discriminated for exercising their CCPA rights.
  • Businesses cannot make consumers waive these rights, and any contract provision that says these rights are waived cannot be enforced.

Individual consumers are allowed to sue businesses for specific CCPA 2018 violations if there is a data breach. Businesses can be held liable if non-encrypted and non-redacted personal information was stolen in a data breach as a result of a failure to maintain reasonable security procedures and practices to protect it. If this happens, consumers can recover monetary damages actually suffered from the breach or “statutory damages” of up to $750 per incident. For all other violations of the CCPA, only the Attorney General can file an action against businesses on behalf of the collective legal interests of the people of California.

CCPA 2018 applies only to for-profit businesses that do business in California and meet any of the following: have a gross annual revenue of over $25 million; buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or derive 50% or more of their annual revenue from selling California residents' personal information.

In 2020, the California Privacy Rights Act of 2020 (CPRA) also known as Proposition 24, was approved by a majority of California voters to expand protections provided by California's consumer privacy laws and CCPA of 2018. The CPRA takes effect in 2023 and cannot be repealed by the state legislature.

CPRA 2020 requires businesses to obtain permission from a parent or guardian before collecting data from consumers younger than 13. It gives consumers the right to access their personal information and the ability to correct, delete, and transfer their personal information. It also provides privacy protections to employees and independent contractors.

About the Author

Joe Sayas

C. JOE SAYAS, JR., Esq. Recognized as one of California's top employment and labor law attorneys by the Daily Journal, C. Joe Sayas, Jr. has devoted his more than 25-year litigation career to protecting workers' and consumer rights. He has fought for employees discriminated due to disability, ra...


There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Contact Us Today

Your inquiries are welcome at no cost!

You’re here likely because you have a question that needs an answer. You may be struggling with decisions that may affect your rights. We have decades of experience handling life-altering and high-value cases in employment law, insurance law, and civil rights. You can depend on us to help you with the compassion that you deserve.

Talk to us and find out how we can help you. Call us at (818) 291-0088 or fill out our contact form today.