Partner Carol C. Villegas and Associate Danielle Izzo are authors of the analysis "When Social Media Data Can Imperil Your Privacy Class Action" published by Law360 on March 23, 2023.

In the past five years, consumer data privacy class actions have exploded due to countless privacy violations by Big Tech companies.

Individual and class action suits have been filed against companies like Meta Platforms Inc., Amazon.com Inc., Snap Inc., Google LLC, and other tech companies for the surreptitious collection and use of a variety of personal data without providing users notice or obtaining their consent.

As these cases enter discovery, plaintiffs face a somewhat unequal playing field.

Big Tech companies have access to troves of user data about plaintiffs that has been collected or shared through their social media platforms or even app usage, meaning plaintiffs enter discovery in a fishbowl with much of their data on display.

Many claims against Big Tech include allegations that a user's privacy was violated in some way, and yet, ironically it is that very data that can be used against plaintiffs seeking to vindicate their privacy rights.

Plaintiffs pursuing these privacy actions are left with major concerns, primarily: Can my private data really be used against me?

The terms of service for these social media and tech platforms are telling.¹  Based on their provisions, it appears that defendant tech companies believe they have unfettered access to the data shared on, or through, their platforms.

Meta purports to have full access to any content posted on Facebook or Instagram, as indicated by Meta's terms of service, which state:

[W]hen you share, post, or upload content that is covered by intellectual property rights on or in connection with our Products, you grant us a non‑exclusive, transferable, sub-licensable, royalty-free, and worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of your content.²

Instagram's terms of use contain an almost identical provision.³  Snap takes the same approach, stating:

Many of our Services let you create, upload, post, send, receive, and store content.  When you do that, you retain whatever ownership rights in that content you had to begin with.  But you grant us a license to use that content.⁴

Snap's license "includes a right for [Snap] to make your content available to, and pass these rights along to, service providers with whom we have contractual relationships."⁵

These broad licenses over user data strongly suggest that tech companies believe they can use this data for any purpose at all — including in litigation.  But there is a tremendous amount of tension here.

These user agreements, written in legalese, are confusing for many lay people and even U.S. Congress has commented that these types of user agreements are confusing and unclear, and arguably, they can be unnecessarily — and maybe purposefully — cumbersome to review.⁶

While these broad licenses are concerning, many users continue to believe that they maintain some level of control over their data due to their ability to delete posts, comments, private messages and even full accounts.

In addition, users believe that some types of data they enter into apps — like health data or financial data — is entitled to some form of special protection given the sensitive nature of the data.

However, recent developments are raising surprising and troublesome questions such as: Is your data ever really private?  Is your data ever really deleted?

Based on several recent reports, the short answer to both questions is likely, no.

For example, during a 2022 Senate committee meeting, Twitter Inc.'s former security chief Peiter "Mudge" Zatko revealed that Twitter "does not reliably delete the data of users who cancel their accounts."⁷

The same report stated that "Twitter has previously said it has workflows in place to 'begin a deletion process' but has not said whether it typically completes that process."⁸  Thus, Twitter users cannot rely on deletion tools to remove their content or data from Twitter's systems.

Alarmingly, it has been reported that Facebook data is even more difficult to delete.

First, deleted data will remain on Facebook if it has been shared with, or liked by Facebook friends.⁹

Second, it has been reported that Facebook account data is stored across multiple databases at Meta, meaning that users would have to ensure their data was deleted from each and every system.¹⁰

Meta's own documents — publicly leaked in 2022 — show that this level of deletion is a nearly impossible task.  Indeed, this document states that "Facebook has no idea where all of its user data goes, or what it's doing with it."¹¹

As described in a Vice article, Meta is unable to locate user data in Meta's open systems, in which data flows like "ink into a lake of water (our open data systems; our open culture) ... and it flows ... everywhere."¹²

Meta itself has been left asking: "How do you put that ink back in the bottle?"¹³  If Facebook's own engineers are "struggling to make sense and keep track of where user data goes once it's inside Facebook's systems," there can be no guarantee that anyone's data is actually deleted from its systems.¹⁴

Amazon has made eerily similar admissions in response to written questions from Sen. Chris Coons, D-Del.¹⁵

On June 28, 2019, Amazon sent Coons a letter answering many of his questions about "Amazon's privacy and data security practices with respect to [the] Alexa voice service."¹⁶

Amazon admitted that "we may still retain other records of customers' Alexa interactions" even after a user has deleted Alexa voice recordings.¹⁷

Until recently, Google was presumed to be tracking users' locations even if users had turned the tracking feature off in their account privacy settings.¹⁸

Since this discovery, Google paid a $391.5 million fine to 40 states as a settlement for its deceptive conduct.

Oregon's Attorney General Ellen Rosenblum stated that for years "the company continued to secretly record their movements and use that information for advertisers."¹⁹

These examples point to one key conclusion — data, both maintained and purportedly deleted, may remain in tech companies' systems in perpetuity.  The continued access to even deleted data is almost certainly a resource to tech companies in all forms of litigation.

The recent trial of Alex Murdaugh in the State of South Carolina, County of Colleton Court of General Sessions, for murder and using a weapon during the commission of a violent crime highlighted the use of stored social media data in litigation.

Snapchat has repeatedly touted its disappearing pictures, videos and messages.²⁰  But it is well known that the accuracy of such statements has been called into question time and time again.

Last year, prosecutors were able to obtain disappearing videos from Snapchat to use as evidence against Murdaugh.  The video in question, which had been sent in accordance with Snapchat's general policies and procedures, was saved to Snapchat in such a manner that it could later be produced and played for the jury.²¹

News outlets have reported that the video was one of the most damning pieces of evidence presented in the trial and may have been a key reason the jury reached a guilty verdict.²²

The use of social media data in litigation is not limited to the criminal context.  In fact, Meta has premised its defense on plaintiffs' social media posts in at least one consumer class action.

Throughout the In re: Facebook Inc. Consumer Privacy User Profile Litigation class action in the U.S. District Court for the Northern District of California, "Facebook's defense centered on the claim that users could not expect absolute privacy for information they had already posted on the site with the knowledge that it would be shown to their friends," according to a December 2022 The Guardian article.²³

As detailed above, Meta was armed with a plethora of user data when raising this defense.

For the foreseeable future, it is questionable whether user data can actually be deleted from Big Tech's systems by users.  The solution is to use caution when creating accounts or sharing data with apps and social media platforms.

As Meta's own engineers stated, there is no guarantee that the ink will be put back in the bottle.

From a personal perspective, users should be mindful of the information they make accessible to these companies.

From a litigation perspective, plaintiffs attorneys should make sure to carefully vet their clients' social media posts early on — both public and private — and make sure these individuals are comfortable with their posts and opinions potentially becoming part of a public litigation.  A review of all social media accounts may be an important step in this process.

It is equally important to note that a client may have more than one account with any given social media platform.  A helpful way to identify the potential universe of social media accounts is to review a client's app-download history.

Once the accounts are identified, it may be necessary to review the client's selected privacy settings for each account and to note whether any changes were made over the life of the account.

Privacy policies and settings frequently change.  While it is very difficult to view prior versions of apps' privacy settings, it is relatively easy to review archived versions of privacy policies.

Attorneys should try to find and review the privacy policy in effect at the time the client created an account with a particular social media platform.

Plaintiffs attorneys should also encourage clients to review direct messages sent via social media platforms like Facebook Messenger or Instagram Direct Messenger to ensure they are comfortable with potentially publicizing these conversations over the course of the litigation.

Understanding the landscape of clients' social media use, activity and settings selections will allow plaintiffs attorneys to be more knowledgeable during meet and confers and discovery-related discussions.

However, given the sheer breadth of every client's social media presence, and the burden associated with providing and producing all this information — including the privacy burden.

Plaintiffs should seek to limit very early on the types of social media that will be covered by the scope of discovery.

From a defense perspective, the converse is true.  Zealously advocating for your client may involve trudging through thousands of posts, likes, direct messages, tweets and a myriad social media data to find information that could potentially undermine the plaintiffs' claims.

Moreover, given that the online presence of many users is sprawling — covering many social media platforms, websites, app use and others — defendants should, early on, seek to obtain usernames of current and even now defunct accounts in order to gain a complete picture of a user's posts.

Many users have multiple accounts even with the same social media platform.  This also raises questions for defendants and plaintiffs about what is really proportional to seek from users.

The data out there about each potential litigant is voluminous — given years and years of posts, reactions, messages and entries into apps — and increasing exponentially every single day.

Data privacy litigation is certainly not going away and the battleground of what will actually be relevant, useful and proportional will certainly hit the courtroom steps as these types of litigations continue to proliferate.