In 2010, Facebook instituted an update to its site called "Open Graph,” which introduced Facebook users to a "Like" button that they could click to show to their networks their interests and activities anywhere on the internet. When users updated to Open Graph, this allowed Facebook to gather data about their online activities, including what sites they visited and items they viewed or bought. Facebook tracked all these information even if the user actually did not click the “Like” button or even knew it was there.
At that time, Facebook said it would not collect a user's private data or activities on partner websites while they were logged out of Facebook. However, it was uncovered that it continued to collect users' private data and internet activities even after logging out. When this issue became news in 2011, Facebook, at first, defended its practice and denied any wrongdoing. Later, it issued a “fix” and explained its policies.
In 2012, twenty-one (21) separate class-action lawsuits for breach of contract and related claims were filed against Facebook in several states. All these cases were later consolidated in California federal court, which dismissed the entire action in November 2017. However, after a successful appeal from the class of users, the Court of Appeal revived parts of the class claims in April 2020. The Court of Appeal ruled that Facebook users had asserted concrete privacy harms. The Supreme Court declined to hear Facebook's appeals. The whole legal battle dragged on for 10 years.
Then, on February 15, 2022, the parties announced a settlement. Facebook agreed to pay $90 million to US Facebook users who had an account between April 22, 2010 and September 26, 2011, and who visited non-Facebook websites that displayed the "Like" button. It also agreed to “sequester and delete” any “wrongfully collected” user data it gathered through this practice. [The case is In re: Facebook Internet Tracking Litigation, Case No. 5:12-md-02314, in the U.S. District Court for the Northern District of California.]
The information landscape is vastly different in today's world of “cookies” (you cannot eat!) and “algorithms.” In the face of these changes, legislation was enacted to address privacy protection. For instance, the California Consumer Privacy Act of 2018 (CCPA) gives consumers specific rights regarding their personal information that are collected by businesses. This law essentially codifies new privacy rights for California consumers, specifically the following:
- The right to know about the personal information a business collects about them and their children, how the information is used, and to whom else the information will be shared;
- The right to delete or limit the use of personal or sensitive information collected from them;
- The right to opt-out of the sale of their personal information; and
- The right not to be penalized or discriminated for exercising their CCPA rights.
- Businesses cannot make consumers waive these rights, and any contract provision that says these rights are waived cannot be enforced.
Individual consumers are allowed to sue businesses for specific CCPA 2018 violations if there is a data breach. Businesses can be held liable if non-encrypted and non-redacted personal information was stolen in a data breach as a result of a failure to maintain reasonable security procedures and practices to protect it. If this happens, consumers can recover monetary damages actually suffered from the breach or “statutory damages” of up to $750 per incident. For all other violations of the CCPA, only the Attorney General can file an action against businesses on behalf of the collective legal interests of the people of California.
CCPA 2018 applies only to for-profit businesses that do business in California and meet any of the following: have a gross annual revenue of over $25 million; buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or derive 50% or more of their annual revenue from selling California residents' personal information.
In 2020, the California Privacy Rights Act of 2020 (CPRA) also known as Proposition 24, was approved by a majority of California voters to expand protections provided by California's consumer privacy laws and CCPA of 2018. The CPRA takes effect in 2023 and cannot be repealed by the state legislature.
CPRA 2020 requires businesses to obtain permission from a parent or guardian before collecting data from consumers younger than 13. It gives consumers the right to access their personal information and the ability to correct, delete, and transfer their personal information. It also provides privacy protections to employees and independent contractors.