By Samantha Cook, Staff Writer
“If something is free, you’re not the customer – you’re the product.”
While free for users, Facebook turns its consumer data into a huge profit. Christopher Wylie, a whistleblower from the U.K. consulting firm Cambridge Analytica came forward recently about what he considered to be unethical use of consumer data in the 2016 presidential election. This internal source, a co-founder of Cambridge Analytica, alleges that the consulting firm analyzed data taken from around 50 million Facebook users to profile voters, and sold its research to the Trump campaign for $5 million. The firm has data of about 230 million American adults, and has an average of 400 data points about each of them.
Users’ data were collected through a survey app on Facebook that adjusted their privacy settings to allow the app to collect more than just the survey results. It gave the app permission to collect other data through the site, including data about users’ friends. Almost all users were unaware of the app’s privacy settings.
Facebook responded with boilerplate apologies and assurances of investigation. The social media giant, however, may be facing some legal backlash for its lax data protection policies. Wylie questioned why Facebook didn’t investigate when it started seeing that tens of millions of records were being pulled by third parties, and went so far as to charge Facebook with facilitating the project by allowing apps to have these invasive permissions at all. 
Despite the U.S.’s general lack of data privacy laws, Facebook’s legal department is humming with inquiries. In 2011, Facebook signed a consent decree with the Federal Trade Commission, which has historically been the primary consumer privacy watchdog in the U.S. The agreement was the result of an FTC complaint against Facebook alleging that the company violated its own privacy policies by sharing users’ information with third parties without the users’ consent. Other claims against Facebook include that it was misleading in its policies regarding retention of data after an account is deleted, that it failed to update users about changes in privacy settings, and that it did not adhere, as it had certified, to the U.S.- E.U. Safe Harbor Framework.
To settle with the FTC, Facebook agreed not to misrepresent its privacy and security policies to users. Prior to sharing nonpublic user information with any third party, Facebook is required to “clearly and prominently” disclose to the user the categories of data that will be disclosed, the identity or type of third party receiving the information, and that such sharing exceeds the previously agreed-to privacy settings.
The FTC is currently investigating the Cambridge Analytica case to determine if Facebook truly violated the 2011 decree. Some say that it isn’t clear if the company violated the decree because it was at liberty to share data when a user consented to sharing information about their “friends.” Regardless of the details of the decree, however, Facebook has more to worry about than just the FTC.
Thirty-seven state attorneys general sent a letter to Facebook expressing concern with its privacy practices. The letter contained a list of questions for the company, like whether the terms of service were clear and understandable, whether Facebook had controls over the types of data given to developers, how many users were impacted, and when Facebook learned about the privacy breach. Illinois has already sued Facebook for fraud, referring to the company as “a data aggregation machine disguised as a social network.” The suit hinted at Cambridge Analytica’s electioneering as well and Facebook’s “rich history of experimenting on its users.” 
The states’ privacy and fraud laws vary, but it is clear that Facebook’s practices are raising eyebrows across the country and potentially stirring lawmakers to prioritize personal data protection over protections for big data firms. The Open Rights Group, a digital rights protection campaign, commented that, “American privacy law is completely broken,” citing to the common sentiment that social media users do not feel as though they have a grasp on their own data.
While FTC regulations and state fraud laws may suffice to keep Facebook’s rampant policy violations in check, there is limited substantive law in the U.S. protecting consumer data. Though there are explicit regulations against disclosing health information or children’s personal information (e.g. HIPAA and COPPA), the law is less robust on social media protections in the U.S. than in its European counterparts.
Effective May 25, 2018, the European Union will enforce the General Data Protection Regulation, a new set of laws targeted at (predominantly American) tech companies. One new rule in this legislation is that user consent forms must be written in plain language, not incorporated into pages-long terms and conditions that users do not read. Had Facebook’s privacy violation occurred after these rules became effective, it would have resulted in a roughly $1.6 billion fine.
Companies around the world are realizing the value of big data. Tiny bits of information about individuals, meaningless on their own, can make a huge impact when aggregated. Whether it be to target make-up advertisements or to sway an entire electorate, Facebook has created a secondary business of selling consumer data. The value of such data has thus far outweighed the privacy concerns, and as such Congress has not yet taken action to legislate for social media users’ rights, despite the FTC’s recommendations.
Facebook CEO Mark Zuckerberg will testify before Congress about this issue. Google and Twitter have also been called to speak about their data privacy practices. Given the backlash from Facebook’s latest scandal, perhaps the federal government will be more willing to create bright-line policies regarding data generated from social media and to keep the sites free, without making the users the products.
 Adame, Vivian. COMMENT: Consumers’ Obsession Becoming Retailers’ Possession: The Way That Retailers Are Benefiting from Consumers’ Presence on Social Media, 53 San Diego L. Rev. 653 (2016).