Meta's record $725 million settlement leads crop of big US privacy payouts, but wouldn't require major data changes

When Meta Platforms recently agreed to pay $725 million to settle litigation over its data-sharing practices with apps on the Facebook platform, the deal set a new high-water mark for US privacy settlements, while highlighting the mushrooming cost of data protection litigation for all US companies.

Capping nearly five years of litigation that involved nearly 10 million pages of documents and 34 depositions of senior Meta executives just below the level of Chief Executive Mark Zuckerburg, the proposed settlement trumped the previous record for a US privacy litigation settlement. That was set the prior year by Facebook’s agreement to pay $650 million to settle allegations that its use of facial recognition technology violated an Illinois biometric privacy law.

Among the 13 US privacy settlements in US private litigation history with a settlement fund greater than $75 million, a group of settlements that total $3.2 billion, Facebook settlements comprise 46 percent, or $1.47 billion, according to the plaintiffs’ research. The impact of those legal costs may become more visible in less than two weeks, when Meta reports its quarterly earnings on Feb. 1.

Beyond the settlement proposal filed Dec. 22 in a San Francisco federal court, US data protection settlements are swelling for other companies as well. More than 90 percent of the total cost of those 13 largest data protection settlements came in deals finalized since 2020, by the likes of Equifax, T-Mobile, Capital One, Yahoo, Google, TikTok and Zoom Video Communications.

Prior to 2020, only one US data protection litigation settlement topped $100 million: health care insurer Anthem’s $115 million data breach settlement in 2018. Now, there are seven US data protection settlements topping $100 million. Meta has two, plus an additional $90 million settlement finalized in November.

While the numbers in the $725 million Meta settlement are eye-popping — the settlement class would include between 250 and 280 million Americans who used Facebook between 2007 and 2022, roughly the entire US population over the age of 13 — there is a notable omission. The settlement includes no significant injunctive relief that would force Meta to change its data practices.

That will doubtlessly be scrutinized by US District Judge Vince Chhabria, who has scheduled a hearing March 2 to consider granting preliminary approval to the settlement, under which Meta would not admit that it broke any law.

Friend-sharing

One upshot of the $725 million settlement is that Zuckerberg’s 2007 decision to allow apps on Facebook’s platform to access the personal data of Facebook users with which the apps had no direct relationship — under what Facebook called “Graph API Version 1” — has turned turned out to be a $6 billion mistake. That is the bill when factoring in the US Federal Trade Commission’s $5 billion regulatory settlement with the company in the wake of the Cambridge Analytica privacy scandal.

The plaintiffs say a financial settlement is proper because Facebook’s data-sharing practices have significantly improved, in part because of the FTC settlement and in part because of the litigation pressure brought by the plaintiffs, particularly after Chhabria denied much of Facebook’s motion to dismiss their allegations in 2019.

“The evidence produced demonstrates that the data sharing practices challenged by Plaintiffs have either been ended by Facebook or are subject to an intensive monitoring program under a 2020 FTC Consent Order,” the plaintiffs told Chhabria in their motion for preliminary settlement approval in December. “The requirements in the 2020 FTC Consent Order cover the injunctive relief Plaintiffs would have otherwise sought.”

Facebook has become much more careful with the personal data of its users than it was before the suit was filed in 2018, after a personality quiz app downloaded by fewer than 400,000 Facebook users was able to access the data of 87 million users under the rules of Graph API Version 1, the plaintiffs told Chhabria. Much of that data later acquired by the political data broker Cambridge Analytica sparked a global privacy furor.

“The evidence shows that Facebook no longer makes friend data available to third parties,” the plaintiffs told Chhabria, describing the company’s practice prior to 2015 where it allowed app developers to access the personal data not only of Facebook users who installed their app, but also the Facebook friends of people downloading the app – a process called “friend-sharing.”

Yet, the settlement filing contains new revelations about Meta’s data-sharing practices. Even though the company said it ended friend-sharing for all apps after 2015, the plaintiffs told Chhabria they uncovered evidence that Facebook continued sharing friend data with a select group of 60 “whitelisted” apps for years after 2015.

“In addition, certain third parties were given access to ‘capabilities,’ which gave them the ability to obtain friend information,” the plaintiffs said. “These facts — access to friend data via Graph API Version 1 before 2015, whitelisted and capability access to friend information after 2015 — are at the heart of Plaintiffs’ allegations.”

The plaintiffs do not disclose the names of the 60 apps allegedly whitelisted by Facebook, though they said in an amended complaint filed in 2020 they included Lyft, Airbnb, and Netflix.  Nor do they spell out which companies gained “capabilities” that allowed them to continue to access friend data, nor what those “capabilities” were.

The door to friend data was finally slammed shut by Facebook only in 2018 and following years, when the company rewrote its software code to “depreciate” access to the whitelisted apps and to shut down other data conduits that previously funneled non-public data about Facebook users to apps and Facebook business partners, the plaintiffs told Chhabria. In a new court filing supporting the settlement, the company said the data-sharing practices at issue in the case "no longer exist," and challenged whether the plaintiffs could successfully argue Facebook broke the law by whitelisting apps.

Zuckerberg, Sandberg depositions loom

One argument that plaintiffs are making for Chhabria to bless the settlement is the effort and cost they expended to match Facebook’s extremely aggressive defenses.

“Litigating these claims presented extraordinary challenges, far beyond those in a normal consumer MDL,” the plaintiffs told Chhabria. “Because of the asymmetry of information regarding Facebook’s actual data sharing practices, Plaintiffs were seeking discovery about entirely unknown categories of data and data processing, learning about Facebook’s proprietary systems without knowing the language Facebook uses to describe them.”

Starting in late 2021 and during much of 2022, the plaintiffs deposed 34 current or former Facebook executives. The 2022 depositions started with Sam Lessin, a former Facebook vice president who was close to Zuckerberg all the way back to their time at Harvard in 2004. By late August, the plaintiffs’ depositions had progressed up to Meta’s most senior privacy executives, including Steve Satterfield, director of privacy and public policy; and Allison Hendrix, Meta’s public policy director on privacy and data policy.

The plaintiffs were set to depose Zuckerberg and Meta’s former chief operating officer, Sheryl Sandberg, who left the company last year. “Plaintiffs secured the production of 5,428 documents custodial to Zuckerberg and 11,852 documents custodial to Sandberg. Plaintiffs were preparing to use many of these documents in the scheduled depositions of Zuckerberg and Sandberg,” they told Chhabria.

As the depositions continued, ultimately totaling about 20 days of testimony, the two sides engaged in a series of “shuttle diplomacy” negotiations with former US Magistrate Judge Jay C. Gandhi, who had begun mediating talks between the two sides in 2021.

On Aug. 26, the day of Hendrix’s deposition but before Zuckerberg or Sandberg could submit to one, Meta appears to have blinked. That day, the plaintiffs and Meta notified the court they had a settlement agreement in principle — even though there were so many unresolved issues that another federal judge, US District Judge Jacqueline Scott Corley, had to get involved in the talks.

The ultimate result, the plaintiffs say now, was an “extraordinary outcome” for Facebook users.

“Significantly, since this case started, Facebook has ceased allowing third parties to access data about users through their friends, has meaningfully enhanced its ability to restrict and monitor how third parties acquire and use Facebook users’ information, and developed more robust tools to tell users what information Facebook collects and shares about them,” the plaintiffs said.