Two Years Later, How Has Cambridge Analytica Changed Data Privacy?

When millions of people began creating Facebook accounts in 2006, they could never have imagined how much of their personal data would be collected over the years. 

Today, more and more people are becoming aware of the fact that their personal data is indeed collected and sold by social media platforms such as Facebook. In more recent years, people are standing up to the social media giants to communicate that they want their data protected.

What sparked this change in perception and caused people to fight more for their privacy?

The Scandal

Let’s rewind to March 2018, when three major publications (The New York Times, The Observer of London and The Guardian) all received a repository of documents from inside Cambridge Analytica, a now-defunct British political consulting and data firm. These reports proved that Facebook unethically granted the firm access to their users’ data for the purpose of building voter profiles. To thicken the plot further, former Trump aide Stephen K. Bannon was a board member at the firm and Robert Mercer, a large right-wing donor, owned Cambridge Analytica. 

After The New York Times and The Observer simultaneously released stories on March 17, 2018, a massive-scale investigation into Cambridge Analytica and Facebook ensued, and so began one of the largest data crises to date. 

87 million Facebook users were affected. Long story short: this scandal caused an uproar. 

By the end of the month, #DeleteFacebook was trending on Twitter, a hashtag that still trends today, and millions of users were fleeing from the platform. It didn’t help that Facebook CEO Mark Zuckerberg was silent for days, leading to another trending hashtag: #WheresZuck.  

Within three weeks of the infamous hashtags emerging, Zuckerburg made his first appearance before Congress to testify before the House and Senate committees. On April 10, day one, the Senate questioned him about the mishandling of data from the tens of thousands of apps in which it was harvested.

On day two, Zuckerberg faced the House’s tough questions surrounding social media’s potential for abuse. Rep. Anna Eshoo (D-CA) flat out asked Zuckerberg if his data was sold to Cambridge Analytica. His response: “Yes.”

Rep. Larry Bucshon (R-IN.) “is one of the millions of Americans who believe his phone is surreptitiously eavesdropping on him in order to serve him ads and other online content.” Other tech companies and Facebook alike have long denied using a smartphone’s microphone to record without a user’s permission. Zuckerberg also addressed the topic the day before calling it a “conspiracy theory.”  

For the in-depth story, we recommend watching the Netflix documentary The Great Hack to learn more about Cambridge Analytica and the scandal in particular.

Facebook Scrambles to Fix Public Appearance

In the wake of the scandal, Facebook made attempts to save its reputation by immediately auditing what targeting options were available to advertisers. Here’s the complete timeline of the changes Facebook made to data privacy over the following months. 

March 2018

Audience Reach Estimates 

On March 23, Facebook said it will stop showing audience reach estimates in any campaign using Custom Audience targeting. Potential Reach numbers will not be shown in any audience setup that includes Custom Audiences. This was shortly announced after Northwestern University researchers reported the potential privacy vulnerability identified with Custom Audiences to Facebook’s Bug Bounty program. The ability to build such comprehensive profiles and see those audience attributes and sizes could be used for malice. 


Considering this exploit came in the same week as the Cambridge Analytica scandal, the quick action taken by Facebook isn’t so surprising. Potential reach numbers won’t be available until a fix has been availed. Fast-forward to July of 2019, and Facebook said it would reinstall reach estimates for Custom Audiences. 

Partner Categories and Third-Party Data 

Facebook announced on March 28 that it would be shutting down Partner Categories, and third-party data will no longer be allowed for targeting ads. Third-party data providers were able to offer their targeting capabilities to Facebook through that project. Major third-party data aggregators such as Axicom and Experian would provide Facebook with offline and offsite data such as purchasing activity to improve and inform ad targeting. 

Though Partner Categories were not directly involved with the Cambridge Analytica privacy scandal, Facebook made this decision in order to restore confidence that users’ privacy is protected. In essence, a user's browsing activity outside of Facebook cannot be used for targeting.

April 2018

Restricting Data Access on Facebook

On April 4, Facebook released a plethora of updates in order to restrict data access on Facebook. Important details of changes being made were noted for the Events API, Groups API, Pages API, Facebook Login, Instagram Platform API, Search and Account Recovery, Call and Text History, Data Providers and lastly App Controls. 


The changes to the app controls were released to the public on April 9. This then allowed users to see what apps they use along with the information that they have shared with those apps. People can remove the ones they no longer want, and Facebook also lets users know if their information may have been improperly used by Cambridge Analytica. The three message types were created based on whether a user’s profile had been affected, and they link to

Custom Audience Terms of Service Updates

Facebook also made updates to its terms of services for Custom Audiences in late March/early April of 2018. The Custom Audience terms of service require that businesses have “provided appropriate notice to and secured any necessary consent from the data subjects” in order to attain and then use these people’s contact information.

May 2018

New Rules for Political and Issue Ads

On May 24, Facebook stated that any advertiser that wishes to run political or issue ads must be verified on the platform and include ‘Paid for’ information with the ad itself. This was instilled in order to deplete the propensity of abuse, though the platform also claimed that they know “these changes will not prevent abuse entirely.”

June 2018

Facebook Gave Device Makers Deep Access to User Data

Facebook was under fire once again for mishandling user data in early June. It is reported that the platform was sharing information with at least 60 smart device makers, including Amazon, Apple, Blackberry, HTC, Microsoft and Samsung. Facebook granted these device companies access to the data of users’ friends without their consent, even after the social network declared it would no longer share information with said outsiders. 

Bug Switches 14M Users to Public 

Within the week, Facebook added an apology “for accidentally setting 14 million users’ privacy status to the public without their knowledge” to their list. Facebook defined the incident that took place from May 18 to 22 as a bug. It took until May 27th for those settings to be reverted.

July 2018

Custom Audience Requirements Updated to Be More Transparent

After initial updates to its terms of services for Custom Audiences earlier in the year, the platform started requiring advertisers to specify the origin of customer data on July 2. “When uploading a customer file, advertisers will need to indicate whether the information was collected directly from people, provided by partners or a combination of the two,” writes Facebook. This will allow users to view deeper specifics around why a particular ad is displayed in their News Feed.


In order to get this information, all a user has to do is click on the “Why am I seeing this?” in the drop-down menu of the ad. The source of the Custom Audience will then be revealed.


March 2019

Ads Library Created to Further Support Transparency on the Platform

One year after the initial scandal, Facebook introduced the New Ad Library. This not only replaced the old Ad Archive, but it was created to help users “learn more about ads related to politics or issues that have run on Facebook or Instagram.”


Though it is supposedly only for seeing data for ads that pertain to social issues, elections or politics, you can essentially see any ad from any advertiser on the Ads Library

August 2019

Updates To Housing, Employment and Credit-Ads in Ads Manager

Major changes came to the platform on August 26, 2019

It was originally announced in March of 2019 that changes would be made in order to prevent discrimination in ads that offer opportunities such as Housing, Employment or Credit. These ads are considered Special Ad Categories and have tight restrictions on targeting options in Facebook Ads Manager. 

Does This Apply to You?

If you want to fall into one of these categories below, we suggest that you take a look at our blog, These Facebook Targeting Updates to Housing, Employment and Credit (HEC) Could Apply to You, where we delve into these implications and restrictions.

January 2020

Users Can Hide Ads Targeted Through Custom Audience Lists

This control is available to all people on Facebook and applies to all advertisers, not just those running political or social issue ads. 

“People have always been able to hide all ads from a specific advertiser in their Ad Preferences or directly in an ad. But now they will be able to stop seeing ads based on an advertiser’s Custom Audience from a list,” Facebook released on the corporate blog.

Knowing Custom Audiences are often composed of a company’s active, top customers, not being able to show ads to those users could potentially plummet campaign performance. Additionally, not only can users remove themself from a list, but they can also make themselves eligible to see ads even if the advertiser has excluded them from the Custom Audience list. 

This announcement was released alongside news related to users being able to see fewer political and social issue ads on both Facebook and Instagram. 

July 2020

Facebook Implements Limited Data Use for CCPA Compliance

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This is nothing new, as many of us have been aware about this for at least a year or two. 

A main challenge with CCPA compliance is the lack of clarity around what is required from different businesses. If you want more information on this particular topic, see our other blog about How the CCPA Will Affect the Future of Data Privacy

Facebook announced starting on July 1, Limited Data Use (LDU) would be automatically enabled for all business accounts on the platform, limiting the way a user’s personal information can be processed through the Facebook ecosystem if they are a resident of California. The definition “personal information” is very broad. It includes browsing data, purchase history and website interaction data. 

This automatic fix only stayed on until July 31. From there, Facebook required businesses to update their pixel accordingly to include an LDU parameter. If you did not take an action before August 1, your brand is not in compliance. 

Luckily, Facebook has extended the original end of the transition period from July 31 to October 20. You can extend the transition period by updating the settings in Events Manager. Go to the Data Sources tab, select your pixel, and then select Settings. Here, you can extend the transition period or you can go ahead and end it if you are CCPA compliant and/or your developers have implemented the specific LDU code into your pixel.

CCPA Impacts Business When:

  1. Annual gross revenue exceeds $25 million
  2. You buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices 
  3. 50% or more of annual revenue derives from selling consumers’ personal information

Despite only protecting California users, this law still applies to businesses without a physical presence or employees in California. Of the three conditions, the 50,000-consumer threshold is rather easy to overcome and could affect many more businesses than originally thought, possibly even yours.

How Do Marketers Stand Up for What Is Right? 

Over the course of the COVID-19 pandemic, Facebook has seen a larger percentage increase in daily traffic than Netflix and YouTube. Not only are people looking to connect, but they are also getting their news from Facebook in addition to social connection. Many small businesses have been able to weather the storm of the coronavirus through Facebook advertising options along with one of the newest features, Facebook Shops.  

People continued to look for community and support on social media as protests broke out across the United States starting in late May following the deaths of George Floyd, Breonna Taylor and Ahmaud Arbery. Within the week, people organized #BlackoutTuesday with the plan of going silent on social media on June 2, 2020 and standing in solidarity with the Black Lives Matter movement. 

As Facebook and social media usage rose, it became important to marketers to take a stand against unethical policies regarding personal privacy. In July, more than 1,000 companies took part in the #StopHateforProfit Facebook boycott. Despite the decrease in ad spend from the household brands that left the platform, according to a survey directed by Search Engine Land, nearly 70% of consumers were either unaware of the boycott or hadn’t formed an opinion. The boycott demands were not met, but Facebook has made a few statements on how it will do a better and faster job addressing hate speech and fake news on its platform.

September 2020

On September 3, 2020, Facebook announced that it will be banning new political ads in the week before the presidential election. The action is slim, banning only the political ads submitted within the week before, but still allowing those submitted before October 27. 


The platform is taking additional steps to “help secure the integrity of the US elections by encouraging voting, connecting people to authoritative information and reducing the risks of post-election confusion.” As the 2020 election nears, it is imperative that issues of privacy and ethics on Facebook be addressed and appropriately handled. 

Future Restrictions and Updates Are Inevitable 

There have been many changes over the years, and there will continue to be more as time goes on. Users will get what they want as they get more privacy, but digital marketers’ jobs will get harder as they deal with more targeting restrictions. For instance, in late March of 2020, Apple announced that it has updated Safari’s anti-tracking technology with full third-party blocking. Then, in late July, the story changed, and Safari reportedly will no longer block Google Analytics as it was previously thought. 

Most recently, however, Facebook warned marketers that Apple’s iOS 14 could shave more than 50% from the Audience Network Revenue. The new update will require apps to ask users for permission to collect and share data using Apple’s device identifier. Also, iOS 14 will not collect IDFA, which is a unique device ID number that allows advertisers to better target ads and estimate their effectiveness.

The landscape is ever-evolving, and we can’t always be prepared for what’s to come. Change is inevitable, but we must try to embrace these changes in order to thrive through periods of growth and transition.

Remember, growth and comfort do not coexist. If you feel uncomfortable through these changes, know that our industry is growing. 

Welcome the change, because ready or not, it’s coming.

Written by Meleigha Millman on September 30, 2020


Add A Comment
Mmillman 1 nnkxbwv
Written by
Meleigha Millman
Senior Paid Social Manager