Amidst allegations that Cambridge Analytica used the personal data of millions of Facebook users to target voters and help sway the 2016 U.S. presidential election,1 public spotlight is on the data management practices of social media platforms—particularly the transfer of data between the platform and third parties.

Collaboration between social media platforms and outside entities is not new. For example, Facebook used to offer to advertisers a platform feature called “Partner Categories,” which breaks down Facebook users into descriptive groups—such as “buyers of children’s cereals”2 or “soda drinkers.”3 Grouping users by common characteristics helps advertisers target a particular consumer base and serve relevant ads.4 To identify a user’s characteristics, Facebook purchases outside information on its users from third-party data providers such as “Datalogix, Epsilon, Acxiom, and BlueKai.”5 Third-party data providers collect bits of information people leave behind on the internet, such as webpage visits or purchase history. Data providers then piece the bits together to form more useful information, such as a person’s demographics and personal tastes.6 Social media platforms supplement in-house user information with information from third-party data providers to enhance the platform’s ad-targeting ability. Such relationships are “common industry practice” for social media platforms.7

The public is now curious about what other common industry practices Facebook engages in, and whether such practices should remain common. Recently, Facebook suspended its relationship with an outside political consulting firm Cambridge Analytica who obtained Facebook user information without permission.8 While Facebook prohibits the sale or transfer of user data “to any ad network, data broker or other advertising or monetization-related service,”9  Facebook generally allows access to user data for academic research.10User information left Facebook’s hands through this otherwise legitimate channel, only to arrive in Cambridge Analytica’s possession in the end.11 Cambridge Analytica allegedly used the obtained personal user information to provide useful electorate information for the Trump campaign,12 raising additional questions about whether such relationships jeopardize democracy in America.

Revelations about the relationship between Facebook and Cambridge Analytica sparked a bipartisan interest to inquire after internet companies—something that does not happen often on the hill. On April 10 and 11, Facebook CEO Mark Zuckerberg testified before an inquisitive Congress who sought answers on the Cambridge Analytica incident and just how much control users have over their personal information.13 Among the many “sensitive” questions Zuckerberg parried was whether a non-Facebook member can remove their personal data possessed by Facebook, and if so how.14 When asked whether Facebook has a monopoly in the industry, the CEO replied that it “doesn’t feel like that” to him.15

To the question of a new privacy bill that will check platforms like Facebook, Zuckerberg noted a need for it, but otherwise avoided commenting on the details.16 Members of Congress recognize the critical role that Facebook plays in our society and are seeking to “explore approaches to privacy that satisfy consumer expectations while encouraging innovation.”17 Whether the spirit will be channeled into an actual bill protecting people’s privacy online will depend on overcoming Silicon Valley’s powerful lobbying presence on the hill. To put it in context, Google, Apple, Facebook, and Amazon together spent $49.7 million on direct lobbying alone in 2017.18 Coupled with the apparent dearth of technological knowledge on the hill,19 a consensus on new privacy law—which has not happened since 200920—will not be easy.

Meanwhile, privacy on the internet remains in jeopardy. With new allegations that Cambridge Analytica planned to launch its own cryptocurrency through which sale of personal data would be facilitated,21 users need greater control over their personal data more than ever. Such greater control needs to reflect the expectations users have when they use a platform. Judging by how much the internet has come to evolve in the presence of participants with pecuniary and political motives, trustees of user information online face a looming responsibility to deliver the privacy and security users want and need.