Social Media and Data Privacy

By: Isabella Liu
Edited by: Eleanor Bergstein and Clark Mahoney

It’s happened to all of us: our social media feeds, be it YouTube or Instagram, suggest something that we mentioned in passing, leading us to wonder if there is some sort of contraption in our devices listening to our conversations. As people use social media more frequently, they are becoming increasingly concerned about how these platforms may invade personal privacy. For example, a 2015 Pew Research Center survey found that approximately 69% of adults were uncertain if their activity and data would be kept secure and private by social media platforms. [1] Furthermore, a US News survey found that 61% of Americans learned that “their personal data had been breached or compromised in at least one account.” [2] These statistics make it clear that Americans are concerned about their personal data being taken advantage of by social media companies. Although some may view this as harmless, the way in which social media collects our data has the potential to violate privacy laws. In this article, we will explore previous cases that handle this issue, as well as gaps in current legislation that can enable violation of data privacy, in order to create potential solutions to better protect individuals from data breaches.

Past Trials

There have been several trials in the past that have addressed the concern of social media companies violating data privacy laws. In the 2017 case Smith v. Facebook Inc.,  plaintiffs Winston Smith and others alleged that Facebook violated the Wiretap Act (also known as Title I of the Electronic Communications Privacy Act of 1986 (ECPA)), as well as several California state privacy laws. [3] The plaintiffs argued that the company violated these laws by collecting their data when they visited Healthcare Defendants’ websites by being able to trace the individuals through the website’s “like” and “share” buttons. The plaintiffs argued that this collection of their data was an invasion of individual privacy. However, the district court initially dismissed the case on the basis that the plaintiffs had agreed to Facebook’s s Terms of Services. The Terms of Service warned consumers that the platform collects information when a user visits any third-party pages. Thus, the district ruled that Facebook did not violate any privacy laws, as the plaintiffs themselves consented to the tracking and collection of their data.  

When the case was appealed and brought to the Ninth Circuit Court of Appeals, the plaintiffs claimed that although they consented to Facebook’s terms of service, “they did not consent to the collection of health-related data” that could be traced from visiting the Healthcare Defendants’ websites. [4] However, the Ninth Circuit affirmed the district court’s decision, agreeing that Facebook’s Terms of Services clearly stated their policies and therefore did not violate any individual privacy laws. 

Despite the verdict not being in favor of the plaintiffs, it is crucial to note their underlying concern remained unaddressed: what if certain platforms, despite listing their data collection policies in their Terms of Services, end up using the data for malicious purposes? This concern can thus be examined through gaps in current privacy legislation. 

Gaps in Current Legislation

Current laws concerning data privacy are not strong enough to set a baseline on data collection among all social media and other technological companies. Congress has been slow to move on national data privacy legislation so individuals have turned to the Federal Trade Commission as the primary source of enforcement for data privacy standards and regulations. 

The FTC, created in 1914, was established to protect citizens from “deceptive or unfair business practices,” and therefore has guidelines that could be used to judge whether a company’s data collection practices violate individual privacy. [5] It not only assists businesses with ensuring that their practices comply with the law, but also “investigates and mitigates privacy incidents” [6]. In fact, the official FTC website has pages discussing its role in protecting customer privacy. With resources like this, the FTC is the main entity dealing with data privacy concerns between businesses, such as social media companies, and consumers. 

However, there are several gaps in current federal legislation that enable the collection of data that may appear to be a violation of privacy to consumers. In regards to the concern about the security of health data, as presented by Smith v. Facebook Inc., there is a loophole in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA aims to protect an individual’s health information and covers insurance, patient records, and more. HIPAA does not cover any health-related information an individual posts online, health-related searches, and browsing history. [7] Although the FTC is able to cover any data not covered under HIPAA, there have still been instances in which third parties “use and resell” health data. They achieve this by de-identifying the data, as de-identified data is not classified as covered under HIPAA. [7] However, there is a possibility of improper de-identification. Although companies strive to buy data that does not contain any personal information, not all data is guaranteed to be completely de-identified. For example, HIPPA has a de-identification method called the safe harbor method, in which all data points must be removed, including related dates except for the year. However, if a company “wants to purchase a data set that contains the day, week or month”, then the information is not entirely de-identified. [8] This loophole can potentially violate an individual’s privacy, and thus, more regulations to close loopholes are urgently needed.

Another gap in legislation that puts an individual’s data at risk lies in the Fourth Amendment. The Fourth Amendment protects citizens from unreasonable searches and seizures by requiring a warrant. However, the third-party doctrine poses an obstacle to the protection of data privacy. The third-party doctrine is a legal principle that states that citizens should not expect privacy for information that they have made public, established in the cases United States v. Miller (1976) and Smith v. Maryland (1979). In these cases, the Supreme Court affirmed that information an individual voluntarily turns over to a third party is not covered by expectations of privacy. Under this doctrine, digital information that we unintentionally disclose, such as metadata–created when a user simply uses their cellphone–are vulnerable to being legally collected without a warrant. [9] Therefore, there is a loophole in the interpretation of the Fourth Amendment that enables the collection of user data without a legal process. This loophole calls for stronger federal regulations to further clarify privacy standards.

Solutions by State Legislations 

Due to the lack of federal regulation and the loopholes in current laws, state legislatures and agencies are working toward enacting their own data privacy laws. In 2025, nine states made amendments to their current privacy laws. In September, the Massachusetts State Senate passed the Massachusetts Data Privacy Act, which includes extremely strong privacy protections such as “data minimization provisions” that limit the personal and sensitive data that companies can collect and use, “a prohibition on the sale of sensitive data”, “enhanced protections for minors’ personal data”, and “strong civil rights language to prohibit digital discrimination.” [10] Additionally, Connecticut overhauled their previous Connecticut Data Privacy Act with a bill that “expanded consumer rights, tightened restrictions with respect to minors and integrating AI-related provisions.” [11] In Virginia, firmer social media restrictions were added to the Virginia Consumer Data Protection Act. The act now requires social media platforms to “use commercially reasonable methods to determine whether users are minors and to limit minors’ use of the platform” depending on the parent. [11] These new restrictions on social media can help minimize the amount of potential data breaches, especially concerning the safety of minors. 

As several other legislatures contribute to their state’s data protection policies, the issue of the invasion of data privacy can be gradually tackled at the state level, even without action from the federal government. However, to establish a coherent baseline for data privacy laws and regulations preventing contradictions between states, federal legislation is still needed. 

Conclusion

As social media and other digital platforms become ubiquitous and data move online, it's important that individuals are aware of their privacy rights and act to protect their personal information from being encroached upon by companies. Data breaches can potentially lead to severe financial losses, reputational damage, and loss of intellectual property, stripping an individual of their rights. The lack of federal legislation and action only makes this issue more dire, as what is considered an invasion of privacy and what isn’t will only become more complicated, giving way for extremely dangerous data breaches to potentially occur. Despite action being taken at the state level, with several state legislatures tightening their digital privacy policies, the gaps in current federal legislation make it difficult for data privacy cases to be legally evaluated and for companies to maintain consistent standards. Thus, the federal government must make an effort toward creating comprehensive national privacy laws that ensure all civilians are protected.

Notes:

1. Madden, Mary, and Lee Rainie. 2015. “Americans’ Attitudes about Privacy, Security and Surveillance.” Pew Research Center. Pew Research Center. May 20, 2015. https://www.pewresearch.org/internet/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/.

2. Lever, Rob. 2024. “Digital Privacy Survey Report 2024.” US News & World Report. U.S. News & World Report. 2024. https://www.usnews.com/360-reviews/privacy/digital-privacy-consumer-survey.

3. Smith v. Facebook Inc., 262 F.Supp.3d 943 (2017)

https://scholar.google.com/scholar_case?case=4788852909212671744&q=smith+v+facebook+inc&hl=en&as_sdt=400006

4. “Smith v. FACEBOOK, INC., Court of Appeals, 9th Circuit 2018 - Google Scholar.” 2018. Google.com. 2018. https://scholar.google.com/scholar_case?case=2883872420583832694&q=smith+v+facebook+inc&hl=en&as_sdt=400006.

5. Federal Trade Commission. 2023. https://www.ftc.gov

6. Esposito, Rita. 2022. “Lack of Federal Data Privacy Legislation Leaves US Agencies to Provide Guidance.” Thomson Reuters Institute. July 15, 2022. https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/data-privacy-federal-guidance/.

7. Kohane, Eden. 2024. “Mind the Gaps: Loopholes Digital Health Data Regulations Are Patient Safety Issues.” Light Collective. September 17, 2024. https://lightcollective.org/2024/09/17/mind-the-gaps/.

8. Hartsfield, Shannon Britton, and Brian Platton. “Five Red Flags in De-Identification and Data Monetization for Healthcare Companies: Insights.” Holland & Knight, July 22, 2024. https://www.hklaw.com/en/insights/publications/2024/07/five-red-flags-in-de-identification-and-data-monetization. 

9. Emile Ayoub, and Elizabeth Goitein. 2024. “Closing the Data Broker Loophole | Brennan Center for Justice.” www.brennancenter.org. January 4, 2024. https://www.brennancenter.org/our-work/research-reports/closing-data-broker-loophole.

10. “PRESS RELEASE: Massachusetts Senate Unanimously Passes Strong Privacy Bill.” 2025. EPIC - Electronic Privacy Information Center. 2025. https://epic.org/press-release-massachusetts-senate-unanimously-passes-strong-privacy-bill/.

11. Francis, Jordan and David Stauss. “Retrospective: 2025 in state data privacy law.” 2025. International Association of Privacy Professionals. November 10, 2025. https://iapp.org/news/a/retrospective-2025-in-state-data-privacy-law.

Bibliography:

Emile Ayoub, and Elizabeth Goitein. 2024. “Closing the Data Broker Loophole | Brennan Center for Justice.” www.brennancenter.org. January 4, 2024. https://www.brennancenter.org/our-work/research-reports/closing-data-broker-loophole.

Esposito, Rita. 2022. “Lack of Federal Data Privacy Legislation Leaves US Agencies to Provide Guidance.” Thomson Reuters Institute. July 15, 2022. https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/data-privacy-federal-guidance/.

Federal Trade Commission. 2023. https://www.ftc.gov

Francis, Jordan and David Stauss. “Retrospective: 2025 in state data privacy law.” 2025. International Association of Privacy Professionals. November 10, 2025. https://iapp.org/news/a/retrospective-2025-in-state-data-privacy-law.

Hartsfield, Shannon Britton, and Brian Platton. “Five Red Flags in De-Identification and Data Monetization for Healthcare Companies: Insights.” Holland & Knight, July 22, 2024. https://www.hklaw.com/en/insights/publications/2024/07/five-red-flags-in-de-identification-and-data-monetization. 

Kohane, Eden. 2024. “Mind the Gaps: Loopholes Digital Health Data Regulations Are Patient Safety Issues.” Light Collective. September 17, 2024. https://lightcollective.org/2024/09/17/mind-the-gaps/.

Lever, Rob. 2024. “Digital Privacy Survey Report 2024.” US News & World Report. U.S. News & World Report. 2024. https://www.usnews.com/360-reviews/privacy/digital-privacy-consumer-survey.

Madden, Mary, and Lee Rainie. 2015. “Americans’ Attitudes about Privacy, Security and Surveillance.” Pew Research Center. Pew Research Center. May 20, 2015. https://www.pewresearch.org/internet/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/.

“PRESS RELEASE: Massachusetts Senate Unanimously Passes Strong Privacy Bill.” 2025. EPIC - Electronic Privacy Information Center. 2025. https://epic.org/press-release-massachusetts-senate-unanimously-passes-strong-privacy-bill/.

Smith v. Facebook Inc., 262 F.Supp.3d 943 (2017)

https://scholar.google.com/scholar_case?case=4788852909212671744&q=smith+v+facebook+inc&hl=en&as_sdt=400006

“Smith v. FACEBOOK, INC., Court of Appeals, 9th Circuit 2018 - Google Scholar.” 2018. Google.com. 2018. https://scholar.google.com/scholar_case?case=2883872420583832694&q=smith+v+facebook+inc&hl=en&as_sdt=400006.