California court signs $50M Meta privacy injunction over Facebook data controls

A San Francisco Superior Court docket entered a closing judgment and everlasting injunction towards Meta Platforms, Inc. on March 3, 2026, ordering the corporate to pay $50 million in civil penalties and adjust to an in depth set of information governanceobligations tied to how Fb handles person data shared with third-party software builders. The case, Folks of the State of California v. Meta Platforms, Inc., Case No. CGC 25 631678, was filed by California Legal professional Common Rob Bonta and signed by Visiting Choose John M. True.

The judgment resolves allegations that Meta deceived customers about their capability to manage which people and entities might entry the non-public particulars they uploaded to Fb – conduct that, in line with the LinkedIn put up of Mike Osgood, Deputy Legal professional Common and one of many attorneys for the Folks, arose from the circumstances giving rise to the Cambridge Analytica scandal.

The penalty is to be paid inside sixty days of Meta receiving fee directions from the California Legal professional Common, in line with the judgment doc. Every celebration bears its personal lawyer charges and prices.

What the injunction covers

The 16-page doc is structured round 4 classes of obligation: coverage necessities, system necessities, enforcement necessities, and reporting necessities to each the lawyer common and Meta’s personal board of administrators. These obligations apply not simply to Meta itself however to its officers, staff, administrators, successors, associates, dad and mom, subsidiaries, assigns, principals, and brokers – in reference to the use or operation of the Fb Platform as outlined within the judgment.

The judgment defines the Fb Platform as a set of providers and instruments, together with software programming interfaces, associated to the Fb social networking service accessible by way of www.Fb.com and cellular functions, made out there to builders. The time period explicitly excludes providers and instruments associated to different Meta merchandise, in line with the doc, together with Instagram, Messenger, WhatsApp, Threads, AI at Meta, Meta Pay, and Actuality Labs.

Private person data is outlined as any person profile data – that’s, data a person provides to or is listed on the person’s Fb profile – that’s restricted by a number of privateness settings, or user-generated content material comparable to standing updates and images that’s restricted by a number of privateness settings. That is the class of knowledge on the heart of the case.

How information flows to third-party builders

The judgment gives important technical element about how Fb Login – the authentication mechanism by way of which third-party functions entry person information – operates. In keeping with the doc, Fb Login is any software or considerably comparable performance provided as a part of the Fb Platform service to builders that may be integrated right into a third-party software and which permits customers to log in to such functions and probably authorize a third-party software to entry their personal person data.

Builders, as outlined within the judgment, are third-party software program builders who entry personal person data by way of Fb Login, exterior of a user-initiated switch of personal person data as a part of a knowledge portability protocol or commonplace. Service suppliers – a separate class – are entities licensed to make use of personal person data accessed by way of the Fb Platform for and on the course of Meta or builders, topic to strict confidentiality situations.

The doc distinguishes fastidiously between these classes. A extreme coverage violation is outlined as a confirmed occasion of misuse – which means the unauthorized switch of personal person data obtained by way of the Fb Platform by builders in violation of Meta’s coverage – that happens after the efficient date of the judgment.

Meta’s developer platform compliance processes have evolved significantly in recent years, together with the launch of a consolidated Information Entry Renewal system in October 2024. The judgment now codifies a a lot stricter framework round these processes.

Coverage necessities: what Meta should keep

Part III of the judgment – the injunctive provisions – runs to over ten pages. Beneath coverage necessities, Meta should keep a coverage that requires builders to supply their customers with an simply accessible privateness coverage. Meta should clearly and conspicuously show a hyperlink to the developer’s privateness coverage to customers on the level at which the person authorizes the developer’s third-party software to obtain personal person data by way of the Fb Platform.

The disclosure necessities are detailed. The judgment defines “clearly and conspicuously” as a disclosure that’s troublesome to overlook – that’s, simply noticeable and simply comprehensible by customers. For visible disclosures, dimension, distinction, location, and the size of time the disclosure seems should guarantee it stands out from accompanying textual content. Audible disclosures have to be delivered at a quantity, pace, and cadence ample to be simply heard and understood. In any communication utilizing an interactive digital medium such because the web or software program, the disclosure have to be unavoidable, in line with the doc.

Meta should additionally keep a coverage that requires any third-party software requesting personal person data to obviously disclose how such data can be used. The coverage should prohibit any third-party software from utilizing personal person data in any method or for any objective not disclosed to the person. Information switch between builders and different third events is prohibited besides with the affirmative specific consent of customers, for service suppliers utilizing the knowledge on the builders’ behalf, or as moderately essential to adjust to relevant regulation or to stop or mitigate fraud or safety vulnerabilities.

Classes of personal person data that builders might request by way of Fb Login are restricted to solely those who would improve the person’s expertise, in line with the doc. Builders in search of entry to extra classes past a baseline – which incorporates person ID, title, profile photograph, and e mail deal with – should endure an software evaluation course of and procure affirmative specific consent from the person earlier than receiving any such data. Meta should doc the developer’s said justification and its choice to permit or deny every request.

The judgment additionally requires Meta to take care of a coverage limiting information retention: builders might retain customers’ personal person data solely for so long as they’ve a professional enterprise objective for retaining such data, and should delete or de-identify the knowledge inside an inexpensive timeframe following the expiration of a professional enterprise objective, besides as moderately essential to adjust to relevant regulation.

System necessities: user-facing disclosures

On the system facet, Meta should keep a mechanism that, when a person is prompted to authorize a brand new third-party software to entry personal person data utilizing Fb Login, clearly and conspicuously discloses the personal person data that the third-party software will get hold of if the person gives authorization, and gives the person the choice to withhold such authorization.

Meta should additionally function and supply customers with an interface the place customers can evaluation the third-party functions they’ve licensed to entry personal person data utilizing Fb Login – together with these which might be energetic, those who have expired as a result of Meta eliminated entry after ninety calendar days of inactivity, and those who Meta has eliminated for a extreme coverage violation for the reason that efficient date. The interface should clearly and conspicuously disclose whether or not entry is ongoing until revoked, the classes of personal person data at the moment shared with every third-party software, the final date after the efficient date on which every third-party software accessed every class of personal person data, and for energetic third-party functions, the preliminary date the person linked to every software by way of Fb Login.

Meta should take away a third-party software’s capability to entry extra personal person data from a person by way of Fb Login when Meta’s methods detect that the person has not used the third-party software within the earlier ninety calendar days. Moreover, Meta should prohibit builders from requesting that customers present permission to entry personal person data from anybody apart from that person, and should make sure that software programming interfaces out there by way of Meta’s Messenger Platform will not be mechanically accessible when Meta grants a developer entry to the Fb Platform alone.

The judgment additionally requires Meta to supply informational instruments to customers that disclose how Meta collects and makes use of personal person data associated to a person’s location, together with the way it might use that data for promoting functions, and the way customers could make adjustments concerning their location-related personal person data by accessing related settings and controls.

Meta’s revamped Platform Terms took effect on February 3, 2025, introducing necessities for privateness coverage accessibility and person consent for profile constructing. The injunction’s system necessities go considerably additional, embedding these obligations into court-enforceable obligations with lawyer common oversight.

Enforcement necessities: investigations and reporting

The judgment imposes a considerable inside enforcement equipment. Meta should keep a strong enforcement program that displays third-party software compliance with the coverage, together with by way of ongoing guide opinions and automatic scans, and a minimum of as soon as each twelve months, assessments by Meta or an entity contracted by Meta confirming that third-party functions use personal person data as described to Meta.

The place Meta confirms {that a} developer account has dedicated a extreme coverage violation, it should impose a developer account deactivation – an enforcement motion that stops a selected developer account from accessing any third-party functions for which it’s an administrator and from creating new third-party functions. A developer account deactivation can even end result within the deletion of any third-party software the place the developer account is the third-party software’s solely administrator, in line with the doc.

Twice yearly, Meta should generate a written enforcement report back to be offered to Meta’s Board of Administrators or an acceptable committee thereof. The enforcement report should disclose, for the instantly previous half yr, 4 classes of data concerning coverage violations involving personal person data retrieved by way of a third-party software utilizing Fb Login: the variety of and foundation for investigations performed; the variety of investigations accomplished; the variety of violations confirmed; and the variety of enforcement actions taken. Upon request from the California Legal professional Common, Meta should present the enforcement report back to the lawyer common.

Meta should take affordable steps to inform customers if Meta confirms {that a} developer has dedicated a extreme coverage violation with respect to their personal person data – notifying affected customers by e mail or upon the person’s login to Fb, with out unreasonable delay following the invention of the extreme coverage violation.

Meta should additionally develop, implement, and keep a reporting program out there to the general public that permits circumstances of suspected misuse by builders to be reported to Meta for investigation, and should keep a channel by way of which staff and contingent staff might submit nameless complaints or issues in regards to the privateness of customers’ personal person data shared by way of the Fb Platform.

Period, implementation timeline, and launch

Meta has 180 calendar days from the efficient date to implement the steps set forth within the injunctive provisions, until in any other case specified. The injunctive obligations in paragraphs 22 by way of 49 and 51 by way of 54 will terminate three years after the efficient date. The judgment takes impact instantly upon entry, in line with its closing provisions.

The discharge provisions affirm that upon fee of the $50 million, the Legal professional Common will launch Meta and its associates, subsidiaries, officers, staff, and associated events from identified and unknown civil claims that the Legal professional Common might have filed primarily based on the lined conduct occurring previous to entry of the judgment. Nonetheless, six classes of claims are particularly reserved and never launched: violations of state or federal antitrust legal guidelines, violations of securities legal guidelines, violations of state or federal tax legal guidelines, felony legal responsibility, violations of the Youngsters’s On-line Privateness Safety Act, and the claims asserted in Folks of the State of California v. Meta Platforms, Inc., N.D. Cal. Case No. 23-cv-05448, and related circumstances.

The judgment was entered with out trial or adjudication of any truth or regulation, and with out Meta admitting any legal responsibility. All events waived their proper to attraction.

Context: a sample of privateness enforcement

The $50 million penalty sits inside a broader sample of mounting authorized and regulatory stress on Meta’s information practices throughout a number of jurisdictions. A federal jury in San Francisco found Meta violated the California Invasion of Privacy Act in August 2025 by secretly amassing delicate menstrual and reproductive well being information from thousands and thousands of girls by way of the period-tracking app Flo. California Attorney General Rob Bonta announced a $1.4 million settlement with mobile gaming company Jam City in November 2025 for CCPA violations, the sixth settlement underneath that regulation because it took impact.

California privacy law updates that took effect on January 1, 2026 expanded necessities round shopper consent, obligating companies to enter into agreements with any third celebration receiving shopper information. The Meta injunction builds on that backdrop of state-level enforcement.

In a separate continuing, Meta’s shareholders settled a seven-year lawsuit for $190 million in November 2025 over board failures associated to the Cambridge Analytica scandal and the $5 billion FTC settlement that resulted. That FTC settlement – formally the Stipulated Order for Civil Penalty, Financial Judgment, and Reduction in United States of America v. Fb, Inc., Case No. 1:19-cv-02184, filed on July 24, 2019 and authorised by the court docket on April 23, 2020 – is instantly referenced within the California judgment’s definitions part, which defines the FTC Settlement and the FTC Unbiased Privateness Program Assessments derived from it.

Exterior the US, a Madrid court ordered Meta to pay €479 million to 87 Spanish digital news publishers in November 2025 for GDPR violations in behavioral promoting. A Canadian court ruled in September 2024 that Facebook breached Canadian privacy laws in its dealing with of person information shared with third-party apps between 2013 and 2015. The Dresden Increased Regional Court docket in Germany delivered final rulings against Meta on February 3, 2026 ordering the corporate to pay €1,500 per plaintiff to 4 customers for illegally amassing private information throughout third-party web sites and apps – rulings from which Meta can’t attraction.

For the digital promoting and advertising and marketing expertise group, the California judgment issues primarily due to what it requires Meta to confide in customers about promoting functions. The specific inclusion of location-based information disclosure necessities – together with how Meta might use that data for promoting functions – and the restrictions on personal person data move to third-party builders has direct implications for programmatic promotingecosystems constructed round Fb Login and the Fb Platform. Builders who entry person information past the baseline 4 classes (person ID, title, profile photograph, and e mail deal with) face a brand new software evaluation course of and the requirement for affirmative specific consent. The 90-day inactivity rule, which strips third-party software entry to extra personal person data when customers haven’t used the appliance for 3 months, might have an effect on information pipelines that advertising and marketing expertise platforms have traditionally maintained by way of Fb Login integrations.

Timeline

• July 24, 2019 – FTC recordsdata United States of America v. Fb, Inc., Case No. 1:19-cv-02184, in the US District Court docket for the District of Columbia
• April 23, 2020 – Court docket approves the FTC Settlement, together with biennial Unbiased Privateness Program Assessments
• April 25, 2018 – Preliminary shareholder spinoff grievance filed by Karen Sbriglio; FTC broadcasts Cambridge Analytica investigation on March 26, 2018
• September 9, 2024 – Canadian Federal Court of Appeal rules Facebook breached Canadian privacy laws over third-party app information sharing between 2013 and 2015
• October 15, 2024 – Meta revamps Platform Terms and Developer Policies, efficient February 3, 2025
• October 2024 – Meta launches consolidated Data Access Renewal system for developers
• July 4, 2025 – Leipzig District Court awards German Facebook user €5,000 for GDPR violations through Meta’s Enterprise Instruments
• August 4, 2025 – Federal jury finds Meta violated California Invasion of Privacy Act by amassing well being information by way of Flo app
• November 19, 2025 – Madrid court orders Meta to pay €479 million to Spanish publishers for GDPR promoting violations
• November 21, 2025 – California Attorney General announces $1.4 million settlement with Jam City for CCPA violations
• November 30, 2025 – Meta settles shareholder lawsuit for $190 million over Cambridge Analytica-related board failures
• December 6, 2025 – California privacy law updates announced, efficient January 1, 2026
• January 1, 2026 – Up to date California Client Privateness Act necessities take impact
• February 3, 2026 – Dresden Higher Regional Court delivers final rulings against Meta, awarding €1,500 per plaintiff
• March 3, 2026 – San Francisco Superior Court docket enters closing judgment and everlasting injunction towards Meta in Case No. CGC 25 631678, ordering $50 million in civil penalties and three years of compliance obligations

Abstract

Who: Meta Platforms, Inc. is the defendant. The Folks of the State of California, represented by Legal professional Common Rob Bonta, is the plaintiff. Visiting Choose John M. True signed the judgment. Meta was represented by Benjamin A. Powell of Wilmer Cutler Pickering Hale and Dorr LLP.

What: A closing judgment and everlasting injunction requiring Meta to pay $50 million in civil penalties and adjust to a sweeping set of coverage, system, enforcement, and reporting obligations governing how the Fb Platform handles personal person data shared with third-party software builders by way of Fb Login. The obligations final three years from the efficient date.

When: The judgment was signed and filed on March 3, 2026. Meta has 180 calendar days to implement the required steps. Fee of the $50 million should happen inside sixty days of receiving directions from the California Legal professional Common.

The place: The Superior Court docket of the State of California for the Metropolis and County of San Francisco, Case No. CGC 25 631678.

Why: The case arose from allegations that Meta deceived customers about their capability to manage the viewers of private particulars they uploaded to Fb, in reference to the circumstances giving rise to the Cambridge Analytica scandal. California Legal professional Common Rob Bonta introduced the case underneath Enterprise and Professions Code § 17206. The judgment resolves the lined conduct with out trial, with none admission of legal responsibility by Meta, and with each events having waived their proper to attraction.