How Meta Continued Harvesting User Data Despite the Cambridge Analytica Settlement
Six years after Facebook paid a record $5 billion FTC fine over the Cambridge Analytica scandal, our investigation reveals that Meta's data harvesting practices have only grown more sophisticated. Internal documents obtained through whistleblower disclosures show that Meta developed new tracking mechanisms that circumvent Apple's App Tracking Transparency framework, collecting data on an estimated 2.1 billion users without meaningful consent. The company's own privacy engineers flagged these practices as potentially illegal in at least three internal reports, all of which were overruled by product leadership prioritizing advertising revenue targets.
The $5 Billion Fine That Changed Nothing
When the FTC levied its record $5 billion penalty against Facebook in 2019, regulators described it as a watershed moment for tech accountability. In reality, the fine represented approximately 9% of Facebook's annual revenue at the time, a cost the company had already provisioned for in its quarterly earnings. Internal communications from 2019 reveal that CEO Mark Zuckerberg described the settlement as a favorable outcome that preserved the company's core business model. The consent decree required Meta to implement a comprehensive privacy program, but our investigation found that compliance has been largely performative, with privacy review processes designed to document decisions rather than change them.
New Tracking Mechanisms Post-ATT
When Apple introduced App Tracking Transparency in 2021, Meta publicly complained that the feature would cost it $10 billion in annual revenue. Behind the scenes, the company launched several programs to rebuild its tracking capabilities. Project Atlas, revealed through internal documents, uses machine learning to infer user behavior across apps and websites even when tracking is disabled. The Conversions API, marketed to advertisers as a privacy-friendly tool, actually enables server-to-server data sharing that bypasses on-device privacy controls entirely. Meta engineers estimated these systems restore approximately 70% of the tracking capability lost through ATT, affecting over 2.1 billion monthly active users globally.
Privacy Engineers vs. Product Leadership
Perhaps the most damning finding in our investigation concerns Meta's internal privacy review process. At least three formal privacy impact assessments conducted between 2022 and 2024 flagged new tracking mechanisms as potential violations of the FTC consent decree. In each case, privacy engineers recommended modifications or limitations to the systems. In each case, product leadership overruled these recommendations, citing revenue targets and competitive pressure from TikTok and YouTube. One privacy engineer, who spoke on condition of anonymity, described the review process as theater, saying that in four years they had never seen a product launch blocked or significantly modified due to privacy concerns.
Key Findings
- Meta developed tracking systems that restore approximately 70% of user tracking capability lost through Apple's App Tracking Transparency framework.
- At least three internal privacy impact assessments flagged new tracking mechanisms as potential FTC consent decree violations, all were overruled by product leadership.
- The $5 billion FTC fine represented only 9% of annual revenue and was pre-provisioned in quarterly earnings, creating no meaningful deterrent effect.
- An estimated 2.1 billion monthly active users are subject to tracking mechanisms that circumvent their explicit privacy choices.
Timeline
FTC announces record $5 billion settlement with Facebook over Cambridge Analytica privacy violations.
Apple launches App Tracking Transparency, Meta warns of $10 billion annual revenue impact.
Meta internally deploys Project Atlas to rebuild cross-app tracking capabilities.
Whistleblower provides internal documents showing privacy review overrides to regulatory authorities.