By Rachel Gu
Rachel Gu is a sophomore in the School of Engineering and Applied Sciences at the University of Pennsylvania studying Bioengineering.
As of 2019, about four out of every five people in the U.S. have a registered social media account . Each user’s actions online, such as a “like” or “share” of posts on their feed, are collected as data points. This network of data is then used to create a comprehensive user profile that provides Facebook and other partnered companies useful information. This then allows them to tailor posts and ads to each individual user. In fact, more companies use this “data mining” technique than one might expect. Their intention, to optimize user engagement, has provoked debates regarding privacy agreements between companies and their users.
Data mining is the process of finding patterns within large data sets to predict outcomes . Companies can use this technique with their user data to increase revenues, cut costs, and boost customer satisfaction. Although businesses are entitled to use this data for company growth, problems arise when they sell individual data to other businesses without user consent.
This invasive procedure has been conducted for years , but the shocking outcome of the 2016 Presidential election sparked mass curiosity in privacy agreements. After President Donald Trump was elected, Facebook was accused of selling personal data that gave Trump an unfair political advantage. The key company involved was Cambridge Analytica, a data analysis firm that collected over 50 million users’ data to build voter profiles for the Trump political campaign . Investigators found that ads concerning immigration, gun rights, and race were tailored towards right-leaning, conservative Facebook users . Furthermore, there were efforts to disenfranchise the left-leaning African-American voters through misinformation about the electoral process.
Just one week after news headlines revealed Cambridge Analytica’s mass data harvest in late March 2018, acclaimed Lawyer Jay Edelson jumped on the case. Using his expertise in privacy-related class action litigation, he filed a lawsuit against Facebook for engaging in unfair and deceptive conduct.
Here’s the catch: to avoid claims that he has no standing to sue—as is common with privacy cases—Edelson is representing the entire population of Illinois. Cook County State Attorney Kimberly Foxx had first filed the consumer fraud suit against Facebook and Cambridge Analytica on behalf of The People of Illinois. However, the People brought Edelson on the case as an outside attorney .
He claims that Facebook violated the Illinois Consumer Fraud and Deceptive Business Practices Act. Violating this act results in massive consequences, namely $50,000 in civil penalties per person violated and a lost business license to operate in the state . Losing this lawsuit would result in billions of dollars forfeited as well as discontinued business in the fifth biggest state in the country.
Despite these strong allegations, the Plaintiff is still finding difficulty in proving that Facebook has indeed broken the law. As aforementioned, data trafficking is technically within a company’s right. According to Spokeo v. Robins, a 2016 U.S. Supreme Court Case, on which Edelson also worked, the plaintiff must show that they have suffered from an injury-in-fact traceable to the defendant’s alleged misconduct. An injury-in-fact is an invasion of legally protected interests which led to a concrete, imminent injury . In this case, the most Facebook users suffered was the display of tailored ads on their newsfeed.
Since this large political privacy scandal, federal prosecutors have conducted criminal investigations into Facebook’s deals with other technology companies. They found that Facebook had provided user data to more than 150 companies, including large firms such as Apple, Sony, Amazon, and Microsoft. The deals allowed these businesses to access users’ contact information, friends, and other data, sometimes without their consent .
Consequently, some state governments are now proactively addressing consumer privacy. California passed the California Consumer Privacy Act on June 28th, 2018, which will go into full effect on January 1st, 2020. Described as the strongest privacy legislation enacted in any of the U.S. states, this law gives California residents the right to know the personal data collected as well as to refuse the sale of personal data .
A Vermont statute regarding data protection was also recently enacted under Chapter 62: Protection of Personal Information: Data Brokers. This state law requires data brokers—businesses that collect consumer information and sell it to other organizations—to register annually with the Secretary of State and notify the consumers of ways to opt-out. Furthermore, data brokers must remain transparent about the administrative, technical, and physical methods they use to protect personally identifiable information. They must record these security measures in a written program .
Despite various state governments passing privacy laws, the U.S. currently has no federal legislation that mandates consistent privacy regulations across state borders.
In 2012, the Obama administration attempted to address this national privacy issue. The administration proposed a consumer privacy “bill of rights,” which required companies to be transparent about their data collection methods as well as provide consumers more agency over their collected data. Obama’s team took three years to release a privacy bill draft, and Congress never came close to legislation. Organizations backing large tech companies like Google and Facebook, along with other smaller tech companies, lobbied against these new privacy rules that would regulate targeted ads . In the end, Obama’s efforts towards increased consumer privacy failed.
Now, the Trump administration is proposing a federal privacy protection policy in another attempt to establish a nationwide regulation. The EU General Data Protection Regulation (GDPR) has already set a precedent for homogenizing data privacy laws across a region. This regulation allows individuals the right to their collected data (i.e. information about how the data is used, right to erase data, right to sell data), increases penalties for breaching privacy, and sets a standard for internal record keeping requirements .
Aiming for a policy more lenient than the GDPR, the White House National Economic Council hopes to generate a consumer privacy protection policy that focuses on a flexible risk-based rather than a rigid rule-based approach. This policy calls for appropriate risk-management to ensure desired privacy outcomes, rather than strictly mandating detailed regulations. This approach allows businesses to innovate while ensuring that consumers can control their data privacy . Trump’s team hopes to work with Congress to implement legislation in accordance with the policy.
While Obama’s past efforts towards establishing national privacy policies fell short, the current social and political climate differs greatly from that of 7 years ago. With the steps already taken, such as the EU GDPR as well as California’s Consumer Privacy Act, the Trump Administration’s efforts towards a federal privacy protection policy hold higher hopes for reaching an end.
 U.S. Population with a Social Media Profile 2019. (n.d.). Retrieved from https://www.statista.com/statistics/273476/percentage-of-us-population-with-a-social-network-profile/
 What is Data Mining? (n.d.). Retrieved from https://www.sas.com/en_us/insights/analytics/data-mining.html
 Uzialko, A. C. (2018, August 03). How and Why Businesses Collect Consumer Data. Retrieved from https://www.businessnewsdaily.com/10625-businesses-collecting-data.html
 Graham-Harrison, E., & Cadwalladr, C. (2018, March 17). Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. Retrieved from https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election
 Russia 'meddled in all big social media' around US election. (2018, December 17). Retrieved from https://www.bbc.com/news/technology-46590890
 State's Attorney Foxx Files Lawsuit Against Facebook and Cambridge Analytica. (2018, March 26). Retrieved from https://www.cookcountystatesattorney.org/news/states-attorney-foxx-files-lawsuit-against-facebook-and-cambridge-analytica
 Gardner, E. (2019, January 10). How an Experimental Billion-Dollar Privacy Lawsuit Could Clobber Facebook. Retrieved from https://www.hollywoodreporter.com/features/how-an-experimental-billion-dollar-lawsuit-could-clobber-facebook-1174468
 Spokeo, Inc. v. Robins. (n.d.). Retrieved from https://www.oyez.org/cases/2015/13-1339
 Laforgia, M., Rosenberg, M., & X, G. J. (2019, March 13). Facebook's Data Deals Are Under Criminal Investigation. Retrieved from https://www.nytimes.com/2019/03/13/technology/facebook-data-deals-investigation.html?module=inline
 De Groot, J. (2019, July 15). What is the California Consumer Privacy Act? Retrieved from https://digitalguardian.com/blog/what-california-data-privacy-protection-act
 Vermont Laws. (n.d.). Retrieved from https://legislature.vermont.gov/statutes/section/09/062/02447
 Romm, T. (2018, July 27). The Trump administration is talking to Facebook and Google about potential rules for online privacy. Retrieved from https://www.washingtonpost.com/technology/2018/07/27/trump-administration-is-working-new-proposal-protect-online-privacy/?utm_term=.cf9a3859f09b
 GDPR Key Changes. (n.d.). Retrieved from https://eugdpr.org/the-regulation/
 Raul, A. C., & Fonzone, C. (2018, October 2). The Trump Administration's Approach to Data Privacy, and Next Steps. Retrieved from https://datamatters.sidley.com/the-trump-administrations-approach-to-data-privacy-and-next-steps/
The opinions and views expressed in this publication are the opinions of the designated authors and do not reflect the opinions or views of the Penn Undergraduate Law Journal, our staff, or our clients.