Can You Sue Facebook for User Data Breach?

By Christopher Coble, Esq. on April 11, 2018 | Last updated on December 17, 2021

No one really reads the terms of service before clicking "accept." Even if those terms allow an app "to edit, copy, disseminate, publish, transfer, append or merge with other databases, sell, license (by whatever means and on whatever terms) and archive your contribution and data."

That's what Aleksandr Kogan's quiz app for Facebook told users before transferring all their data to Cambridge Analytica. Now there's a class action lawsuit against Facebook and Cambridge Analytica over the release of user data.

Could the acceptance of those terms of service come back to haunt the plaintiffs?

Tracking Personal Data

The Los Angeles Times breaks down the personal data transfer at issue:

Cambridge Analytica, a data-mining company, has admitted to obtaining Facebook information through Global Science Research, a company run by researcher Aleksandr Kogan. GSR obtained the personal information on Facebook users and their Facebook friends through a personality test app in 2013, under the guise of academic research. The information was then provided to Cambridge Analytica.

The lawsuit, filed by three Californians on behalf of potentially 87 million Facebook users, claims the social media platform's assurances that users "own all of the content and information" they post on the site and "can control how it is shared" by using the platform's privacy settings" are "false and misleading."

The suit also alleges the data obtained by Cambridge Analytica was used to create profiles and target audiences for political ads in the 2016 presidential election.

Cambridge denies that it obtained any user information illegally, and asserts it "did not use any GSR data in the work we did in the 2016 US presidential election."

"Our contract with GSR stated that all data must be obtained legally, and this contract is now a matter of public record," the company claimed in a public statement, "We took legal action against GSR when we found out they had breached this contract."

In testimony before Congress, Mark Zuckerberg claimed to have never seen GSR's terms of service, adding, "It certainly appears that we should have been aware that this app developer submitted a term that was in conflict with the rules of the platform." Facebook says it deleted the app in December 2015 after they found out about the data harvesting.

Despite GSR's terms potentially conflicting with Facebook's rules, Facebook users (of whom Cambridge Analytica claims there aren't more than 30 million) appear to have consented to those terms voluntarily. What role the "no one reads those" defense will play in the class action lawsuit remains to be seen.

Can I Sue For a Data Protection or Cybersecurity Breach?

In some cases, you may be able to sue for a breach of your customer information, such as credit card information, phone numbers, addresses, social security numbers, credit reports, or other private information. Often these data breach lawsuits don't become valid until the customer suffers harm from the data breach. Typically "harm" means a criminal case or civil injuries, such as losing money from the breach.

Social media channels don't have legal responsibilities for data privacy -- typically they have security measures in place to convince users to sign up for their platform. However, cyberattacks often can't be prevented and data leaks are relatively common in the internet age. Currently, federal and state data privacy laws are considered weak. If you decide to sue, your attorney will need to review the social media channel's privacy policy and other policies to form a case.

Related Resources:

Copied to clipboard