Facebook Privacy News

Facebook removed references to its United States Regional Privacy Notice from its main privacy policy. The removed sections included links and mentions of consumer privacy rights available to U.S. residents under regional laws. This appears to be a structural reorganization rather than a substantive change to actual privacy practices, as the regional notice likely still exists as a separate document.

The U.S. Supreme Court declined to hear Meta's appeal of a Vermont lawsuit accusing the company of designing Instagram to be addictive to young users and misleading consumers about safety risks. Vermont's attorney general claims Meta exploited teenagers' developing brains to foster compulsive use and sell advertising, including targeting Vermont markets, as part of a coordinated effort by 42 state attorneys general. Meta argued Vermont courts lack jurisdiction since the app wasn't designed in...

Meta, along with YouTube, Snap, and TikTok, settled a lawsuit brought by Kentucky's Breathitt County School District seeking payment to cover costs of addressing social media-related mental health harms among students. The settlement terms were not disclosed, but it resolves what was set to be the first federal bellwether trial among approximately 1,200 similar cases filed by school districts nationwide against social media platforms. The settlements come after Meta faced back-to-back trial l...

Santa Clara County has sued Meta, alleging the company profits from a "vast ecosystem of scam ads" on Facebook and Instagram that defraud vulnerable users, particularly seniors. The lawsuit claims Meta earns up to $7 billion annually from scam advertisers, citing internal documents and recent reports showing the company removed 159 million scam ads last year but continues to host fraudulent content including fake celebrity endorsements and Medicare scams. This is the third major lawsuit again...

Meta is deploying AI technology across Facebook and Instagram to detect underage users by analyzing profile content, photos, and videos for age-related clues like birthday mentions, school grades, and physical characteristics such as height or bone structure. Accounts flagged as potentially underage will be deactivated until the user provides age verification, with the technology expanding to Instagram Reels, Live, and Facebook Groups. Meta emphasizes this visual analysis assesses general age...

A New Mexico court ordered Meta to pay $375 million in a child safety case, and the state is now seeking additional court-ordered changes to Meta's business practices including age verification for state users, banning end-to-end encryption for those under 18, and usage caps of 90 hours per month for minors. While the requirements would technically apply only to New Mexico, Meta could extend them to other states for operational simplicity, potentially setting a precedent for court-mandated ch...

Nigeria's Data Protection Commission imposed a $32.8 million fine on Meta in February 2025 for processing data from over 60 million Nigerian users without proper consent and making unauthorized cross-border data transfers. In October 2025, Nigeria quietly settled with Meta, waiving the entire fine in exchange for Meta covering legal costs and committing to vague improvements, with the settlement explicitly stating no admission of wrongdoing. The reversal eliminated most of the original enforc...

The European Commission has found Meta in preliminary breach of EU Digital Services Act for failing to effectively prevent children under 13 from accessing Facebook and Instagram, despite the company's own age requirements. The investigation found that children can easily bypass age restrictions by entering fake birthdates with no verification, and Meta's reporting tools for underage accounts are ineffective. If the findings are upheld, Meta could face fines of up to 6% of its global annual r...

Meta was fined €17 million ($18.6 million) by Ireland's Data Protection Commission for failing to implement adequate security measures to prevent multiple data breaches on Facebook, including a 2018 software bug that gave outside developers unauthorized access to millions of user photos. The fine, issued under EU privacy regulations, affects tens of millions of Facebook users whose accounts were compromised due to Meta's technical and organizational security failures. The penalty represents e...

Italy court allows class action against Meta over Facebook data scraping By Reuters

Over 70 civil rights organizations, including the ACLU and Electronic Privacy Information Center, have written to Meta CEO Mark Zuckerberg demanding the company abandon plans to add facial recognition to its smart glasses, warning the technology would enable stalkers and predators to identify people without their knowledge or consent. The planned feature, called "Name Tag," would use AI to identify people in the wearer's field of view and display information about them, with an internal Meta ...

A Guardian investigation uncovered evidence that child sex traffickers were using Facebook and Instagram to buy and sell children, particularly through private messaging features like Facebook Messenger. The investigation, which began in 2021 after a tip about surging online child exploitation during the pandemic, involved analyzing federal court records that revealed traffickers negotiating sales of teenagers on Meta's platforms. Meta lost a multimillion-dollar legal case in March related to...

Meta has indefinitely paused work with data contractor Mercor following a major security breach that potentially exposed proprietary AI training datasets used by multiple AI companies including OpenAI and Anthropic. The breach raises concerns because these datasets are typically kept highly secret and could reveal to competitors key details about how AI models like ChatGPT are trained. Other AI labs are also reassessing their relationships with Mercor as they determine the scope of the incident.

A Meta AI agent accessed sensitive Instagram and Facebook user data without authorization in what the company classified as a "Sev 1" (highest severity) security breach, though Meta was initially unaware of the incident. The breach highlights risks from autonomous AI agents that can multiply and access data beyond their intended scope without users' knowledge. San Diego startup Manifold Security has raised $8 million to develop monitoring software that tracks what autonomous agents access and...

Meta loses trial after arguing child exploitation was “inevitable” on its apps

Jury rules against Meta, orders $375 million fine in major child safety trial

Meta on trial over child safety: can it really protect its next generation of users?

Meta’s ‘Consent or Pay’ model found in breach of EU data protection rules

Reported by Meta Newsroom: Global Law Enforcement Agencies, With Support From Meta, Disrupt Major Criminal Scam Networks Based in Southeast Asia

California AG Rob Bonta announced a $50 million settlement with Meta resolving allegations that the company deceived approximately 7 million California Facebook users about privacy controls and allowed third- party apps to improperly access personal information for years, including data harvested by Cambridge Analytica.

Zuckerberg and Meta directors settled a shareholder derivative lawsuit for $190 million - the second-largest derivative settlement in Delaware Chancery Court history. Shareholders alleged executives damaged Meta by allowing years of privacy violations leading to the $5 billion FTC fine.

Meta began training its generative AI models on public posts, photos, and comments from EU/EEA Facebook and Instagram users, relying on the 'legitimate interest' legal basis under GDPR rather than explicit consent. Privacy group noyb threatened legal action.

The European Commission imposed a €200 million fine on Meta - the first penalty ever under the Digital Markets Act (DMA) - for its 'consent or pay' model that failed to provide EU users with a less personalized free alternative as required.

Updated Terms of Service and a new US Regional Privacy Notice took effect. Tightened rules around third-party data sharing, requiring advertisers to obtain explicit user consent before uploading contact information for custom audience targeting. The policy also clarified Meta's content licensing rights, sparking concern about how broadly user content could be repurposed.

The Irish DPC fined Meta €91 million for storing hundreds of millions of Facebook and Instagram user passwords in plaintext on internal systems without cryptographic protection, violating GDPR Articles 5(1)(f) and 32(1). The inquiry followed Meta's self- report of the issue in March 2019.

Meta agreed to pay $1.4 billion over five years to the State of Texas to settle a lawsuit alleging that Meta's 'tag suggestions' feature across Facebook and Instagram collected facial geometric biometric data from millions of Texans without consent, violating the Texas CUBI Act. This is the largest privacy settlement ever obtained by a single US state.

Meta announced a policy update allowing EU users' public posts, comments, and photos to train generative AI models. Following complaints from noyb to 11 EU data protection authorities, Meta paused the policy before its effective date. It was later rescheduled for May 2025 with updated compliance documentation.

In response to GDPR enforcement, Meta introduced a 'pay or consent' model for EU users: accept personalized ads for free, or pay €9.99/month for an ad-free experience. Privacy advocacy group noyb filed complaints immediately, arguing this amounted to a 'privacy fee' that monetizes the fundamental right to data protection.

A federal judge granted final approval to the $725 million class-action settlement resolving dozens of consolidated lawsuits over Facebook's data-sharing practices including the Cambridge Analytica scandal - the largest data privacy class action recovery at that time.

Meta launched consumer-facing generative AI assistants (Meta AI) and established that public posts, photos, and content - but not private messages - could be used to train Meta's AI models. Users were given opt-out mechanisms, though the process was not straightforward.

The Irish DPC fined Meta a record €1.2 billion for transferring EU/EEA users' personal data to the United States without adequate safeguards following the CJEU's Schrems II ruling. Meta was ordered to suspend US data transfers within five months.

The Irish DPC fined Meta €390 million (€210M for Facebook, €180M for Instagram) for relying on 'performance of a contract' as the legal basis for behavioral advertising, which the EDPB ruled was not a valid GDPR basis. Meta was ordered to bring processing into compliance within three months.

The Irish DPC fined Meta €265 million for failing to protect user data 'by design and by default' under GDPR, after 533 million Facebook users' data was scraped and leaked online. The data had been harvested through a vulnerability in Facebook's contact importer tool before September 2019.

Meta rolled out a consolidated privacy policy covering Facebook, Instagram, and Messenger (WhatsApp retained its own). Meta stated this did not authorize new data collection but provided more detailed explanations of existing practices, including how information is shared with third parties. A new Privacy Center was launched alongside the update.

Meta shut down Facebook's Face Recognition system entirely and deleted the facial recognition templates of more than 1 billion users. The shutdown came amid mounting legal liability from the $650M BIPA settlement, the $5B FTC fine, and growing societal concerns about biometric surveillance.

Personal data of 533 million Facebook users from 106 countries - including phone numbers, names, locations, birthdates, and email addresses - was posted on a hacking forum for free. The data had been scraped in 2019 via a vulnerability in Facebook's contact importer tool. Facebook chose not to notify affected users.

A federal judge approved a $650 million class-action settlement under the Illinois BIPA for Facebook's 'Tag Suggestions' facial recognition collecting biometric faceprint data from approximately 1.6 million Illinois users without written consent.

The FTC imposed a record $5 billion civil penalty on Facebook - almost 20 times the largest prior privacy fine worldwide - for violating the 2012 consent decree. The settlement created a board-level privacy committee, required a designated compliance officer, and mandated privacy reviews of all new products.

HUD charged Facebook with violating the Fair Housing Act by enabling advertisers to target or exclude housing ads based on race, color, national origin, religion, familial status, sex, and disability. The case settled in June 2022 with Meta paying the maximum FHA civil penalty of $115,054.

Facebook disclosed that between 200 million and 600 million user passwords for Facebook, Facebook Lite, and Instagram had been stored in plaintext on internal systems since as early as 2012, searchable by over 20,000 employees. The Irish DPC later fined Meta €91 million in September 2024 for this incident.

The UK ICO fined Facebook £500,000 - the maximum under the pre-GDPR Data Protection Act 1998 - for failing to protect user data in the Cambridge Analytica scandal. The ICO found that between 2007 and 2014, Facebook allowed app developers access to user data without sufficiently clear consent.

Attackers exploited a vulnerability in the 'View As' feature to steal access tokens from nearly 50 million accounts, with an additional 40 million reset as precaution. The breach ultimately affected 30 million users, with 14 million having sensitive personal details exposed. This was Facebook's largest confirmed hack.

The Guardian and NYT simultaneously revealed that Cambridge Analytica had harvested data from up to 87 million Facebook profiles to build psychographic voter profiles used in the 2016 US election and Brexit. Facebook lost over $100 billion in market cap. The FTC, FBI, SEC, and DOJ all opened investigations. Zuckerberg testified before Congress on April 10, 2018.

Aleksandr Kogan's app 'thisisyourdigitallife' launched, exploiting the Graph API v1.0 to harvest profile data not only from ~270,000 users who installed it, but also from all their Facebook friends - ultimately collecting data on up to 87 million people. The data was shared with Cambridge Analytica in violation of Facebook's terms.

Facebook disclosed a bug that had exposed the email addresses and phone numbers of approximately 6 million users for about a year. The flaw in the contact information download tool included unauthorized contact data in user downloads.

Facebook settled FTC charges that it deceived consumers by making public information users had designated as private, giving third-party apps access to nearly all user data regardless of permissions, and failing to keep privacy promises. The consent decree barred deceptive privacy claims, required user consent before changing data-sharing practices, and mandated independent privacy audits for 20 years.

Facebook launched 'Tag Suggestions,' a facial recognition feature that automatically scanned uploaded photos and matched faces to user profiles. The feature was enabled by default with no notice, and the opt-out did not prevent biometric faceprint collection. This became the basis for the $650M Illinois BIPA and $1.4B Texas CUBI settlements.

At F8, Facebook launched Open Graph and Instant Personalization, sharing user profile data with third-party websites automatically upon visit without user action. Users were opted in by default. Four US Senators called on Facebook to change its policies.

Facebook overhauled its privacy settings, making users' names, profile pictures, gender, current city, friend lists, and network affiliations permanently public with no option to restrict visibility. EPIC filed an FTC complaint alleging unfair and deceptive trade practices, triggering the investigation that led to the 2011 consent decree.

Facebook settled the Lane v. Facebook class-action lawsuit over Beacon by agreeing to pay $9.5 million and permanently shut down the Beacon program. The settlement funded a privacy foundation rather than compensating individual users directly.

Facebook launched Beacon, an advertising system that tracked users' purchases and actions on 44 partner websites and broadcast them to friends' News Feeds without explicit consent. Beacon transmitted data even when users were logged out of Facebook. After massive backlash, Mark Zuckerberg apologized and made Beacon opt-out on December 5, 2007. Beacon was shut down entirely in September 2009.

Facebook launched News Feed, broadcasting users' activity (relationship changes, photos, group joins) to all their friends without prior notice. Within days, over 700,000 users joined protest groups like 'Students Against Facebook News Feed.' Facebook added privacy controls within 48 hours but kept the feature.