Facebook’s parent company Meta has agreed to settle one of the longest-running data privacy lawsuits in the country for $90 million. This dispute, originally filed in 2012 in a total of 21 related cases, alleged that Facebook continued to track its users even after they logged out of the social media platform. Specifically, the plaintiffs’ alleged that Facebook used cookies and various plug-ins in order to track and save information about its users’ visits to third-party websites and then sold to advertisers.

This multidistrict (“MDL”) litigation, pending in California—a state where a large portion of nationwide privacy class action suits tends to end up—is styled In re: Facebook Internet Tracking Litigation, U.S. District Court, Northern District of California, No. 12-md-02314. The operative complaint alleges that Facebook violated federal and state privacy laws, as well as wiretapping laws, by tracking users whenever they visited unaffiliated websites containing Facebook “like” buttons. According to the complaint, Facebook unlawfully compiled users’ data, including browsing histories, in order to sell their user profiles to third parties for purposes of targeted advertising.

Although this case was initially dismissed in 2017 after protracted litigation and multiple amendments to the complaint, the Ninth Circuit Court of Appeals reinstated it in 2020. The appellate court decided that the plaintiffs could prove privacy violations, after all, citing Facebook’s unlawful profits stemming from the alleged practices, and finding that the plaintiffs sufficiently alleged concrete and particularized harm. The Ninth Circuit further ruled that the fact that Facebook actually profited from the sale of users’ data created “economic harm” for purposes of standing. The Ninth Circuit also rejected Facebook’s argument that it was a party to communications between its users and other websites for purposes of wiretapping laws. The U.S. Supreme Court subsequently declined to take the case, and the consolidated actions were therefore sent back down to the trial court, at which point settlement negotiations ensued.

This week’s settlement agreement covers a narrow time period—only those Facebook users who visited third-party websites in the United States between April 22, 2010 and September 26, 2011 are eligible to submit a claim. Yet, this settlement is significant and groundbreaking with respect to its reach, the amount, and the injunctive relief secured for the plaintiffs. In addition to the monetary component, Facebook will also have to delete all of the user data that it had allegedly collected unlawfully—a significant potential precedent for future settlements in a court system that has not previously focused on data deletion in privacy cases. The proposed settlement further requires Facebook to establish a $90-million fully non-revisionary settlement fund, which reportedly represents disgorgement of 100% or more of Facebook’s profits in connection with this unlawfully obtained data.

If this settlement is approved, it will become one of the largest and noteworthy data privacy class action settlements in the United States. The proposed settlement will resolve not only the underlying federal action but also a related state-court lawsuit against Facebook.

While Meta described the settlement as a business-driven decision, if approved, it will avoid a costly trial and the possibility of a staggering verdict, in the wake of other privacy complaints against Facebook. Facebook and Meta have faced other privacy-related issues, which resulted in a 2019 settlement with the FTC with a $5 billion fine and a February 15, 2022 lawsuit by Texas Attorney General against Facebook’s parent company, Meta, alleging that it collected facial recognition data and captured users’ biometric information from photos and videos without their consent. And, as we reported previously, privacy implications of the Facebook whistleblower testimony before Congress highlighted other potential harms, such as valuing profit over the safety of users and alleging the targeting of children through the Instagram platform.

This settlement serves as a cautionary tale for companies that collect or track user data or use other forms of browser tracking. Such companies ensure that their privacy programs keep pace with compliance with all relevant laws. Since privacy laws are ever-changing, it is equally as important to keep abreast of new legal developments and carefully monitor compliance issues. New laws in California, Virginia, and Colorado will be effective in 2023 and planning for compliance with those laws should be underway.  Additionally, regulators such as the Federal Trade Commission and the Securities and Exchange Commission have indicated that they will be turning attention to privacy and cybersecurity issues in 2022