By Gregory Nicholson

The Lawsuit 

Recently, a class-action lawsuit was filed against Facebook, Cambridge Analytica, and other companies for allegedly misusing the personal data of more than 87 million people in an effort to steer the 2016 presidential election.  The lawsuit accuses Facebook of violating its own policies and privacy law, additionally claiming that Facebook knew about the breach early on, in 2015, but was too careless to do anything about it.  The suit also claims that Facebook was given warnings about how susceptible their privacy measures were, but failed to do anything to bolster them.

Obtaining Private User Information

Cambridge Analytica, which is a data-mining company, obtained information on Facebook users through Global Science Research (GSR).  In 2013, GSR had a personality test app, described as an academic research study, which stored the personal information of Facebook users, which was then supplied to Cambridge Analytica.  The lawsuit claims that Facebook and Cambridge Analytica obtained the private information of users to create political ads during the 2016 presidential election. Though Facebook claims that they did not become of aware of the data breach until 2016, it took the company months to order Cambridge Analytica to delete the data. Cambridge Analytica disregarded the order to delete data, and Facebook purportedly never followed up.

California Consumer Privacy Act of 2018

As a result of recent data breaches like the Facebook-Cambridge Analytica scandal, California enacted the Consumer Privacy Act (CCPA).  The CCPA essentially creates four rights for California consumers: a right to know the personal information businesses have about them, the right to delete personal information that a business collected, a right to opt-out of providing personal information in sales, and a right to equal service and pricing from a business. Though the CCPA was well-meaning, the Act needs significant improvement before it goes into effect due to its flaws.  For example, the Act does not require user consent for data collection. Further, the Act allows businesses to charge a higher price to those users who assert their privacy rights. When it comes to the sale of data, the Act does not require consent, and adults only have to opt-in or opt-out of their rights.

Will Legislation Solve Data Breaches?

As can be seen in the CCPA, the current legislation that is in place will not be enough to prevent user data breaches. The question then becomes, what can be done to ensure that information is not being shared without user consent? Most users, including myself, might agree that federal privacy legislation would achieve the most efficient outcome because it sets a national standard in the industry that consumers will be informed on.  Further, using federal legislation will dissuade individual states, like California, from enacting their own legislation, which does not cover all data privacy concerns. With Europe enacting the General Data Protection Regulation at the end of May, it is only a matter of time until the United States reforms its approach to data protection and privacy. Until then, significant data privacy will have to wait.

Student Bio: Gregory Nicholson, a second-year student at Suffolk University Law School and a staff member of the Journal of High Technology Law. He graduated the University of Connecticut in 2017 with a Bachelor of Arts in Political Science and Economics.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.