A San Francisco court on March 3 entered a final $50 million judgment against Meta over Facebook user data shared with third-party developers, imposing sweeping new compliance obligations lasting three years.
A San Francisco Superior Court entered a final judgment and permanent injunction against Meta Platforms, Inc. on March 3, 2026, ordering the company to pay $50 million in civil penalties and comply with an extensive set of data governanceobligations tied to how Facebook handles user information shared with third-party application developers. The case, People of the State of California v. Meta Platforms, Inc., Case No. CGC 25 631678, was filed by California Attorney General Rob Bonta and signed by Visiting Judge John M. True.
The judgment resolves allegations that Meta deceived consumers about their ability to control which individuals and entities could access the personal details they uploaded to Facebook - conduct that, according to the LinkedIn post of Mike Osgood, Deputy Attorney General and one of the attorneys for the People, arose from the circumstances giving rise to the Cambridge Analytica scandal.
The penalty is to be paid within sixty days of Meta receiving payment instructions from the California Attorney General, according to the judgment document. Each party bears its own attorney fees and costs.
The 16-page document is structured around four categories of obligation: policy requirements, system requirements, enforcement requirements, and reporting requirements to both the attorney general and Meta's own board of directors. These obligations apply not just to Meta itself but to its officers, employees, directors, successors, affiliates, parents, subsidiaries, assigns, principals, and agents - in connection with the use or operation of the Facebook Platform as defined in the judgment.
The judgment defines the Facebook Platform as a set of services and tools, including application programming interfaces, related to the Facebook social networking service accessible through www.Facebook.com and mobile applications, made available to developers. The term explicitly excludes services and tools related to other Meta products, according to the document, including Instagram, Messenger, WhatsApp, Threads, AI at Meta, Meta Pay, and Reality Labs.
Non-public user information is defined as any user profile information - that is, information a user adds to or is listed on the user's Facebook profile - that is restricted by one or more privacy settings, or user-generated content such as status updates and photos that is restricted by one or more privacy settings. This is the category of data at the center of the case.
The judgment provides significant technical detail about how Facebook Login - the authentication mechanism through which third-party applications access user data - operates. According to the document, Facebook Login is any tool or substantially similar functionality offered as part of the Facebook Platform service to developers that can be incorporated into a third-party application and which enables users to log in to such applications and potentially authorize a third-party application to access their non-public user information.
Developers, as defined in the judgment, are third-party software developers who access non-public user information through Facebook Login, outside of a user-initiated transfer of non-public user information as part of a data portability protocol or standard. Service providers - a separate category - are entities authorized to use non-public user information accessed through the Facebook Platform for and at the direction of Meta or developers, subject to strict confidentiality conditions.
The document distinguishes carefully between these categories. A severe policy violation is defined as a confirmed instance of misuse - meaning the unauthorized transfer of non-public user information obtained through the Facebook Platform by developers in violation of Meta's policy - that occurs after the effective date of the judgment.
Meta's developer platform compliance processes have evolved significantly in recent years, including the launch of a consolidated Data Access Renewal system in October 2024. The judgment now codifies a much stricter framework around those processes.
Section III of the judgment - the injunctive provisions - runs to over ten pages. Under policy requirements, Meta must maintain a policy that requires developers to provide their users with an easily accessible privacy policy. Meta must clearly and conspicuously display a hyperlink to the developer's privacy policy to users at the point at which the user authorizes the developer's third-party application to receive non-public user information through the Facebook Platform.
The disclosure requirements are detailed. The judgment defines "clearly and conspicuously" as a disclosure that is difficult to miss - that is, easily noticeable and easily understandable by users. For visual disclosures, size, contrast, location, and the length of time the disclosure appears must ensure it stands out from accompanying text. Audible disclosures must be delivered at a volume, speed, and cadence sufficient to be easily heard and understood. In any communication using an interactive electronic medium such as the internet or software, the disclosure must be unavoidable, according to the document.
Meta must also maintain a policy that requires any third-party application requesting non-public user information to clearly disclose how such information will be used. The policy must prohibit any third-party application from using non-public user information in any manner or for any purpose not disclosed to the user. Data transfer between developers and other third parties is prohibited except with the affirmative express consent of users, for service providers using the information on the developers' behalf, or as reasonably necessary to comply with applicable law or to prevent or mitigate fraud or security vulnerabilities.
Categories of non-public user information that developers may request through Facebook Login are limited to only those that would enhance the user's experience, according to the document. Developers seeking access to additional categories beyond a baseline - which includes user ID, name, profile photo, and email address - must undergo an application review process and obtain affirmative express consent from the user before receiving any such information. Meta must document the developer's stated justification and its decision to allow or deny each request.
The judgment also requires Meta to maintain a policy limiting data retention: developers may retain users' non-public user information only for as long as they have a legitimate business purpose for retaining such information, and must delete or de-identify the information within a reasonable timeframe following the expiration of a legitimate business purpose, except as reasonably necessary to comply with applicable law.
On the system side, Meta must maintain a mechanism that, when a user is prompted to authorize a new third-party application to access non-public user information using Facebook Login, clearly and conspicuously discloses the non-public user information that the third-party application will obtain if the user provides authorization, and provides the user the option to withhold such authorization.
Meta must also operate and provide users with an interface where users can review the third-party applications they have authorized to access non-public user information using Facebook Login - including those that are active, those that have expired because Meta removed access after ninety calendar days of inactivity, and those that Meta has removed for a severe policy violation since the effective date. The interface must clearly and conspicuously disclose whether access is ongoing unless revoked, the categories of non-public user information currently shared with each third-party application, the last date after the effective date on which each third-party application accessed each category of non-public user information, and for active third-party applications, the initial date the user connected to each application through Facebook Login.
Meta must remove a third-party application's ability to access additional non-public user information from a user through Facebook Login when Meta's systems detect that the user has not used the third-party application in the previous ninety calendar days. Additionally, Meta must prohibit developers from requesting that users provide permission to access non-public user information from anyone other than that user, and must ensure that application programming interfaces available through Meta's Messenger Platform are not automatically accessible when Meta grants a developer access to the Facebook Platform alone.
The judgment also requires Meta to provide informational tools to users that disclose how Meta collects and uses non-public user information related to a user's location, including how it may use that information for advertising purposes, and how users can make changes regarding their location-related non-public user information by accessing relevant settings and controls.
Meta's revamped Platform Terms took effect on February 3, 2025, introducing requirements for privacy policy accessibility and user consent for profile building. The injunction's system requirements go substantially further, embedding these obligations into court-enforceable obligations with attorney general oversight.
The judgment imposes a substantial internal enforcement apparatus. Meta must maintain a robust enforcement program that monitors third-party application compliance with the policy, including through ongoing manual reviews and automated scans, and at least once every twelve months, assessments by Meta or an entity contracted by Meta confirming that third-party applications use non-public user information as described to Meta.
Where Meta confirms that a developer account has committed a severe policy violation, it must impose a developer account deactivation - an enforcement action that prevents a specific developer account from accessing any third-party applications for which it is an administrator and from creating new third-party applications. A developer account deactivation will also result in the deletion of any third-party application where the developer account is the third-party application's only administrator, according to the document.
Twice annually, Meta must generate a written enforcement report to be presented to Meta's Board of Directors or an appropriate committee thereof. The enforcement report must disclose, for the immediately preceding half year, four categories of information regarding policy violations involving non-public user information retrieved through a third-party application using Facebook Login: the number of and basis for investigations conducted; the number of investigations completed; the number of violations confirmed; and the number of enforcement actions taken. Upon request from the California Attorney General, Meta must provide the enforcement report to the attorney general.
Meta must take reasonable steps to notify users if Meta confirms that a developer has committed a severe policy violation with respect to their non-public user information - notifying affected users by email or upon the user's login to Facebook, without unreasonable delay following the discovery of the severe policy violation.
Meta must also develop, implement, and maintain a reporting program available to the public that allows cases of suspected misuse by developers to be reported to Meta for investigation, and must maintain a channel through which employees and contingent workers may submit anonymous complaints or concerns about the privacy of users' non-public user information shared through the Facebook Platform.
Meta has 180 calendar days from the effective date to implement the steps set forth in the injunctive provisions, unless otherwise specified. The injunctive obligations in paragraphs 22 through 49 and 51 through 54 will terminate three years after the effective date. The judgment takes effect immediately upon entry, according to its final provisions.
The release provisions confirm that upon payment of the $50 million, the Attorney General will release Meta and its affiliates, subsidiaries, officers, employees, and related parties from known and unknown civil claims that the Attorney General could have filed based on the covered conduct occurring prior to entry of the judgment. However, six categories of claims are specifically reserved and not released: violations of state or federal antitrust laws, violations of securities laws, violations of state or federal tax laws, criminal liability, violations of the Children's Online Privacy Protection Act, and the claims asserted in People of the State of California v. Meta Platforms, Inc., N.D. Cal. Case No. 23-cv-05448, and associated cases.
The judgment was entered without trial or adjudication of any fact or law, and without Meta admitting any liability. All parties waived their right to appeal.
The $50 million penalty sits within a broader pattern of mounting legal and regulatory pressure on Meta's data practices across multiple jurisdictions. A federal jury in San Francisco found Meta violated the California Invasion of Privacy Act in August 2025 by secretly collecting sensitive menstrual and reproductive health data from millions of women through the period-tracking app Flo. California Attorney General Rob Bonta announced a $1.4 million settlement with mobile gaming company Jam City in November 2025 for CCPA violations, the sixth settlement under that law since it took effect.
California privacy law updates that took effect on January 1, 2026 expanded requirements around consumer consent, obligating businesses to enter into agreements with any third party receiving consumer data. The Meta injunction builds on that backdrop of state-level enforcement.
In a separate proceeding, Meta's shareholders settled a seven-year lawsuit for $190 million in November 2025 over board failures related to the Cambridge Analytica scandal and the $5 billion FTC settlement that resulted. That FTC settlement - formally the Stipulated Order for Civil Penalty, Monetary Judgment, and Relief in United States of America v. Facebook, Inc., Case No. 1:19-cv-02184, filed on July 24, 2019 and approved by the court on April 23, 2020 - is directly referenced in the California judgment's definitions section, which defines the FTC Settlement and the FTC Independent Privacy Program Assessments derived from it.
Outside the United States, a Madrid court ordered Meta to pay €479 million to 87 Spanish digital news publishers in November 2025 for GDPR violations in behavioral advertising. A Canadian court ruled in September 2024 that Facebook breached Canadian privacy laws in its handling of user data shared with third-party apps between 2013 and 2015. The Dresden Higher Regional Court in Germany delivered final rulings against Meta on February 3, 2026 ordering the company to pay €1,500 per plaintiff to four users for illegally collecting personal data across third-party websites and apps - rulings from which Meta cannot appeal.
For the digital advertising and marketing technology community, the California judgment matters primarily because of what it requires Meta to disclose to users about advertising purposes. The explicit inclusion of location-based data disclosure requirements - including how Meta may use that information for advertising purposes - and the restrictions on non-public user information flow to third-party developers has direct implications for programmatic advertisingecosystems built around Facebook Login and the Facebook Platform. Developers who access user data beyond the baseline four categories (user ID, name, profile photo, and email address) face a new application review process and the requirement for affirmative express consent. The 90-day inactivity rule, which strips third-party application access to additional non-public user information when users have not used the application for three months, could affect data pipelines that marketing technology platforms have historically maintained through Facebook Login integrations.
Who: Meta Platforms, Inc. is the defendant. The People of the State of California, represented by Attorney General Rob Bonta, is the plaintiff. Visiting Judge John M. True signed the judgment. Meta was represented by Benjamin A. Powell of Wilmer Cutler Pickering Hale and Dorr LLP.
What: A final judgment and permanent injunction requiring Meta to pay $50 million in civil penalties and comply with a sweeping set of policy, system, enforcement, and reporting obligations governing how the Facebook Platform handles non-public user information shared with third-party application developers through Facebook Login. The obligations last three years from the effective date.
When: The judgment was signed and filed on March 3, 2026. Meta has 180 calendar days to implement the required steps. Payment of the $50 million must occur within sixty days of receiving instructions from the California Attorney General.
Where: The Superior Court of the State of California for the City and County of San Francisco, Case No. CGC 25 631678.
Why: The case arose from allegations that Meta deceived consumers about their ability to control the audience of personal details they uploaded to Facebook, in connection with the circumstances giving rise to the Cambridge Analytica scandal. California Attorney General Rob Bonta brought the case under Business and Professions Code § 17206. The judgment resolves the covered conduct without trial, without any admission of liability by Meta, and with both parties having waived their right to appeal.