A privacy lawsuit first filed against Facebook in 2012, dismissed in 2017 and successfully appealed in 2020 will finally be paying out for impacted site users. Meta has been assessed a penalty of $90 million on expected profits for its use of the collected personal information of users that visited third-party sites that hosted one of its “Like” buttons. Facebook had told users that it would not track their visits to third-party sites when they were logged out of the service, but continued to do so when these sites in its extended ecosystem were visited.
The settlement has a rather narrow window, however: the privacy lawsuit only covers parties who visited one of these sites between April 2010 and September 2011. The lengthy time for the suit to be settled is owed to a long chain of appeals that ultimately landed in the U.S. Court of Appeals for the Ninth Circuit for the 2020 ruling; Facebook’s request to appeal up to the Supreme Court was denied, finally putting an end to the case after a decade.
Privacy lawsuit settlement finally pays out for Facebook violation that began almost 12 years ago
If the court approves the settlement, this long-running privacy lawsuit will finally be put to bed with $90 million (after the usual legal expenses) being parceled out to eligible users and Facebook forced to “sequester and delete” personal data collected during the period. Though impacted users may be pleased to finally be getting something, the original lawsuit sought $15 billion in damages. The exact means of qualifying to participate in the settlement will not be determined until the court grants its final approval.
The case began as 21 separate class action privacy lawsuits filed in 2012, eventually consolidated into one suit that was dismissed in June 2017 by a federal judge who said that plaintiffs could not show that they had a reasonable expectation of privacy or suffered financial damages from the incident. The Ninth Circuit ultimately ruled otherwise in 2020, establishing that Facebook was required to collect explicit consent for gathering this information under the terms of the Wiretap Act and that economic harm had indeed been caused.
Failing to get the Supreme Court to grant it one final attempt at an appeal, Facebook came to the negotiating table with the parties and hammered out the eventual $90 million penalty.
Though far from what was originally sought, the settlement amount will still be one of the largest of its kind in US history; Facebook has already faced record-breaking penalties before, however, most notably the $650 million judgment against it last February due to violations of the Illinois Biometric Information Privacy Act by its photo tagging system. Meta issued a statement saying it was “glad to move on” from the issue.
At the time, Facebook’s end-user licensing agreement (EULA) specifically stated that tracking was supposed to stop when users logged out of the site. The “Open Graph” feature, first rolled out in 2010, allowed websites to embed a “like” button as a convenience feature for users browsing the web while also logged into their Facebook accounts. If a user landed on one of these sites while logged out of Facebook, the embedded button was not supposed to gather data on them. However, it did. It continued scooping up information on what sites these users visited, what they might have viewed and purchased, and even their communications with the site. The issue was publicly reported on in 2011 and Facebook issued a fix, but at that point the window had been open for over a year providing fertile ground for privacy lawsuits.
Big money for Facebook, potential peanuts for plaintiffs
The settlement will likely be split into very small pieces due to the raw number of people the decision potentially impacts. Anyone who had a Facebook account during that period and visited at least one of the websites that had an embedded Like button is eligible to participate, a very long list that includes quite a few major websites for big-name corporate brands. This also occurred during a particular growth and activity period for Facebook, which doubled to about 489 million users in 2010 and then came close to doubling that again with 739 million users in 2011. Legal fees are projected to be about $26.1 million, leaving around $64 million to be parceled out to the privacy lawsuit participants.
Facebook may soon be in more legal trouble, as a case against it was filed by Texas Attorney General Ken Paxton last week over the use of its facial recognition technology to scan and tag user photos. The case somewhat reflects the one in Illinois, with Texas alleging that Facebook is in violation of a 2019 state law that prohibits collection of “facial geometries” without consent. That law carries a maximum $25,000 penalty for each violation plus a potential $10,000 penalty for each case of deceptive trade practices. Facebook ended up paying a $650 million penalty for its similar case in Illinois, and the privacy lawsuit pressured it to add an opt-out feature in 2017 and to end its use of facial recognition entirely in 2021.