Facebook’s folly and the future of federal privacy legislation

The traditional notion of privacy set forth in the U.S. Constitution focuses on limiting the ability of the government to intrude on the right of citizens to be left alone. Today, the intrusion comes not from government but from commercial, political and terrorist groups that are able to track every minute detail of your life from the food you eat, hotels you stay at, products you purchase, and every website and individual with whom you communicate. The remedy should be a federal privacy law according to a majority of Americans.

Last year, 61% of Americans said that the federal government should devote a great deal or quite a bit of time to "improving online data privacy and security" according to a poll conducted by the Associated Press and University of Chicago's NORC Center for Public Affairs Research. Politico/Morning Consult was more pointed in a poll they conducted earlier this year, asking registered voters about their support to "make it illegal for social media companies to use personal data to recommend content via algorithms." Fifty-six percent either strongly or somewhat supported such legislation.

Being left alone in one's digital life would mean having the right to prevent personal data from being surreptitiously collected, disclosed, sold or manipulated for any purpose. The most basic right is to control one's own data by default. If a company that collects a customer's data can offer a convincing benefit for the data being used (including payment to the person), the data owner can affirmatively consent. This opt-in approach is not the norm today. If a user has not opted out and his or her data is collected and shared, at the least, the user should have an absolute right to copies of such data. There is no such legal option now.

The growing concern about protecting online data stems from the scandalous revelation in 2018 that Facebook (now Meta Platforms, Inc.) allowed Cambridge Analytica, a political consulting firm linked to the Trump campaign, to collect data from an estimated 87 million Facebook users during the 2016 election.

Prior to the Cambridge Analytica scandal, the privacy debate centered primarily on protecting consumers' financial and medical information. Cambridge Analytica, however, used information Facebook collected and secretly provided to it to create psychological profiles of users. Those profiles were used to target digital ads to voters based on their personality traits in an effort to influence the presidential election. One of the most unsettling aspects of such data harvesting is that it takes place behind the scenes and it is difficult or impossible for consumers to learn what data was collected or shared. Even after Facebook was sued for the data release it remains difficult to learn what information was shared.

Plaintiffs have waged a years-long battle to obtain their data that was collected and shared in a multidistrict lawsuit in federal district court. In re: Facebook, Inc. Consumer Privacy User Profile Litigation, 18-02843 (N.D. Cal. 2018). In the complaint, a group of current or former Facebook users allege that the company harvested and gave unrestricted use of highly personal data to Cambridge Analytica and other third parties including Netflix, Lyft, AirBnb and Russian search engine Yanex.

The data Facebook allegedly shared included information on relationships, whereabouts, moods, daily routines, videos, photos and even content and information with nonpublic settings shared with others on Facebook -- all without the users' knowledge or consent. Facebook's third-party customers then allegedly used the information to create dossiers on individuals for so-called "psychographic marketing." The dossiers make assumptions about users' health, financial risk, employability and other factors and third parties allegedly use the information to target people based on analyses of their temperament and vulnerabilities.

The plaintiffs understandably want to know what information about them was harvested and shared, including data from sources other than their Facebook accounts. For over a year they have been trying to get that information, but Facebook has not produced little. The plaintiffs moved to compel and a special master ordered Facebook to produce. Facebook appealed to the magistrate judge who upheld the ruling. Nonetheless, the plaintiffs reported that Facebook had not produced any of that information by the February 2, 2022, deadline.

The discovery battle boiled over in the case management conference last week. U.S. District Judge Vince Chhabria said he had "a quite strong preliminary view" that Facebook's discovery behavior is sanctionable. Chhabria invited the plaintiffs to file a motion seeking sanctions against Facebook and explicitly said the partners handling the case should be included in any sanctions request.

Chhabria said that it was "obvious" to him that the data Facebook collected and shared with third parties was discoverable and that Facebook has been "stonewalling" on producing such data for a year. He was highly critical of Facebook's decision to cancel depositions of plaintiffs on the basis that they had not identified what information Facebook allegedly shared without their consent. "So it sounds like what Facebook is saying is, until you identify what information you believe we shared without your consent, we're not going to take your deposition. That is preposterous and you are going to take their depositions now, or ... you're going to waive the right to take their depositions at all."

Chhabria is right. Any legislation creating a federal privacy statute should include requirements that defendants must automatically disclose all information collected on a user, including the content and identities of third parties with whom the information was shared. Violations should be subject to a daily fine. Only then might Facebook and similar defendants recognize that personal information is not only confidential, but it belongs to the user disclosing it. 