Facebook Privacy News

California AG Rob Bonta announced a $50 million settlement with Meta resolving allegations that the company deceived approximately 7 million California Facebook users about privacy controls and allowed third-party apps to improperly access personal information for years, including data harvested by Cambridge Analytica.

Zuckerberg and Meta directors settled a shareholder derivative lawsuit for $190 million — the second-largest derivative settlement in Delaware Chancery Court history. Shareholders alleged executives damaged Meta by allowing years of privacy violations leading to the $5 billion FTC fine.

Meta began training its generative AI models on public posts, photos, and comments from EU/EEA Facebook and Instagram users, relying on the 'legitimate interest' legal basis under GDPR rather than explicit consent. Privacy group noyb threatened legal action.

The European Commission imposed a €200 million fine on Meta — the first penalty ever under the Digital Markets Act (DMA) — for its 'consent or pay' model that failed to provide EU users with a less personalized free alternative as required.

Updated Terms of Service and a new US Regional Privacy Notice took effect. Tightened rules around third-party data sharing, requiring advertisers to obtain explicit user consent before uploading contact information for custom audience targeting. The policy also clarified Meta's content licensing rights, sparking concern about how broadly user content could be repurposed.

The Irish DPC fined Meta €91 million for storing hundreds of millions of Facebook and Instagram user passwords in plaintext on internal systems without cryptographic protection, violating GDPR Articles 5(1)(f) and 32(1). The inquiry followed Meta's self- report of the issue in March 2019.

Meta agreed to pay $1.4 billion over five years to the State of Texas to settle a lawsuit alleging that Meta's 'tag suggestions' feature across Facebook and Instagram collected facial geometric biometric data from millions of Texans without consent, violating the Texas CUBI Act. This is the largest privacy settlement ever obtained by a single US state.

Meta announced a policy update allowing EU users' public posts, comments, and photos to train generative AI models. Following complaints from noyb to 11 EU data protection authorities, Meta paused the policy before its effective date. It was later rescheduled for May 2025 with updated compliance documentation.

In response to GDPR enforcement, Meta introduced a 'pay or consent' model for EU users: accept personalized ads for free, or pay €9.99/month for an ad-free experience. Privacy advocacy group noyb filed complaints immediately, arguing this amounted to a 'privacy fee' that monetizes the fundamental right to data protection.

A federal judge granted final approval to the $725 million class-action settlement resolving dozens of consolidated lawsuits over Facebook's data-sharing practices including the Cambridge Analytica scandal — the largest data privacy class action recovery at that time.

Meta launched consumer-facing generative AI assistants (Meta AI) and established that public posts, photos, and content — but not private messages — could be used to train Meta's AI models. Users were given opt-out mechanisms, though the process was not straightforward.

The Irish DPC fined Meta a record €1.2 billion for transferring EU/EEA users' personal data to the United States without adequate safeguards following the CJEU's Schrems II ruling. Meta was ordered to suspend US data transfers within five months.

The Irish DPC fined Meta €390 million (€210M for Facebook, €180M for Instagram) for relying on 'performance of a contract' as the legal basis for behavioral advertising, which the EDPB ruled was not a valid GDPR basis. Meta was ordered to bring processing into compliance within three months.

The Irish DPC fined Meta €265 million for failing to protect user data 'by design and by default' under GDPR, after 533 million Facebook users' data was scraped and leaked online. The data had been harvested through a vulnerability in Facebook's contact importer tool before September 2019.

Meta rolled out a consolidated privacy policy covering Facebook, Instagram, and Messenger (WhatsApp retained its own). Meta stated this did not authorize new data collection but provided more detailed explanations of existing practices, including how information is shared with third parties. A new Privacy Center was launched alongside the update.

Meta shut down Facebook's Face Recognition system entirely and deleted the facial recognition templates of more than 1 billion users. The shutdown came amid mounting legal liability from the $650M BIPA settlement, the $5B FTC fine, and growing societal concerns about biometric surveillance.

Personal data of 533 million Facebook users from 106 countries — including phone numbers, names, locations, birthdates, and email addresses — was posted on a hacking forum for free. The data had been scraped in 2019 via a vulnerability in Facebook's contact importer tool. Facebook chose not to notify affected users.

A federal judge approved a $650 million class-action settlement under the Illinois BIPA for Facebook's 'Tag Suggestions' facial recognition collecting biometric faceprint data from approximately 1.6 million Illinois users without written consent.

The FTC imposed a record $5 billion civil penalty on Facebook — almost 20 times the largest prior privacy fine worldwide — for violating the 2012 consent decree. The settlement created a board-level privacy committee, required a designated compliance officer, and mandated privacy reviews of all new products.

HUD charged Facebook with violating the Fair Housing Act by enabling advertisers to target or exclude housing ads based on race, color, national origin, religion, familial status, sex, and disability. The case settled in June 2022 with Meta paying the maximum FHA civil penalty of $115,054.

Facebook disclosed that between 200 million and 600 million user passwords for Facebook, Facebook Lite, and Instagram had been stored in plaintext on internal systems since as early as 2012, searchable by over 20,000 employees. The Irish DPC later fined Meta €91 million in September 2024 for this incident.

The UK ICO fined Facebook £500,000 — the maximum under the pre-GDPR Data Protection Act 1998 — for failing to protect user data in the Cambridge Analytica scandal. The ICO found that between 2007 and 2014, Facebook allowed app developers access to user data without sufficiently clear consent.

Attackers exploited a vulnerability in the 'View As' feature to steal access tokens from nearly 50 million accounts, with an additional 40 million reset as precaution. The breach ultimately affected 30 million users, with 14 million having sensitive personal details exposed. This was Facebook's largest confirmed hack.

The Guardian and NYT simultaneously revealed that Cambridge Analytica had harvested data from up to 87 million Facebook profiles to build psychographic voter profiles used in the 2016 US election and Brexit. Facebook lost over $100 billion in market cap. The FTC, FBI, SEC, and DOJ all opened investigations. Zuckerberg testified before Congress on April 10, 2018.

Aleksandr Kogan's app 'thisisyourdigitallife' launched, exploiting the Graph API v1.0 to harvest profile data not only from ~270,000 users who installed it, but also from all their Facebook friends — ultimately collecting data on up to 87 million people. The data was shared with Cambridge Analytica in violation of Facebook's terms.

Facebook disclosed a bug that had exposed the email addresses and phone numbers of approximately 6 million users for about a year. The flaw in the contact information download tool included unauthorized contact data in user downloads.

Facebook settled FTC charges that it deceived consumers by making public information users had designated as private, giving third-party apps access to nearly all user data regardless of permissions, and failing to keep privacy promises. The consent decree barred deceptive privacy claims, required user consent before changing data-sharing practices, and mandated independent privacy audits for 20 years.

Facebook launched 'Tag Suggestions,' a facial recognition feature that automatically scanned uploaded photos and matched faces to user profiles. The feature was enabled by default with no notice, and the opt-out did not prevent biometric faceprint collection. This became the basis for the $650M Illinois BIPA and $1.4B Texas CUBI settlements.

At F8, Facebook launched Open Graph and Instant Personalization, sharing user profile data with third-party websites automatically upon visit without user action. Users were opted in by default. Four US Senators called on Facebook to change its policies.

Facebook overhauled its privacy settings, making users' names, profile pictures, gender, current city, friend lists, and network affiliations permanently public with no option to restrict visibility. EPIC filed an FTC complaint alleging unfair and deceptive trade practices, triggering the investigation that led to the 2011 consent decree.

Facebook settled the Lane v. Facebook class-action lawsuit over Beacon by agreeing to pay $9.5 million and permanently shut down the Beacon program. The settlement funded a privacy foundation rather than compensating individual users directly.

Facebook launched Beacon, an advertising system that tracked users' purchases and actions on 44 partner websites and broadcast them to friends' News Feeds without explicit consent. Beacon transmitted data even when users were logged out of Facebook. After massive backlash, Mark Zuckerberg apologized and made Beacon opt-out on December 5, 2007. Beacon was shut down entirely in September 2009.

Facebook launched News Feed, broadcasting users' activity (relationship changes, photos, group joins) to all their friends without prior notice. Within days, over 700,000 users joined protest groups like 'Students Against Facebook News Feed.' Facebook added privacy controls within 48 hours but kept the feature.