After Cambridge Analytica: How Meta's Data Exploitation Never Really Stopped

The Cambridge Analytica scandal of 2018 exposed that a political consulting firm had harvested data from up to 87 million Facebook users through a personality quiz app, using that data to build psychographic profiles for political targeting. The scandal triggered congressional hearings, a $5 billion FTC fine, and promises from Mark Zuckerberg that Facebook would fundamentally reform its data practices. Years later, the mechanisms that enabled Cambridge Analytica have been replaced with systems that are arguably more invasive but structured to avoid the specific violations that attracted regulatory attention.

What Actually Changed

Meta restricted third-party API access to user data, making it harder for external companies to harvest information at scale. But the company simultaneously expanded its own first-party data collection to fill the gap, building an internal advertising infrastructure that does everything Cambridge Analytica did — psychographic profiling, behavioral prediction, micro-targeted persuasion — but keeps the data and the capability in-house. The net effect is not less surveillance but more concentrated surveillance, with Meta as the sole beneficiary rather than sharing the capability with third parties.

The Consent Theater

Meta's post-Cambridge Analytica privacy controls are an exercise in consent theater. Users can adjust dozens of privacy settings, review data access logs, and download their data archives. But the fundamental business model — harvesting behavioral data to sell targeted advertising — is not subject to any user control. Users cannot opt out of behavioral tracking while using Meta's platforms, and the data that fuels advertising is collected through mechanisms that most users never see or understand: pixel tracking across the web, app activity monitoring through Meta's SDK, location inference from IP addresses, and social graph analysis.

The $5 billion FTC fine, while record-setting, represented approximately one month of Meta's revenue — a cost of doing business rather than a meaningful deterrent. Meta's quarterly earnings reports following the fine showed no impact on profitability, user growth, or advertising revenue. The lesson Meta drew from Cambridge Analytica was not that data exploitation is wrong but that it should be kept internal rather than shared with third parties who might mishandle it visibly enough to attract regulatory attention.

Users seeking genuine protection from Meta's data practices have limited options beyond leaving the platform entirely. Browser-based protections like Firefox's Facebook Container, VPN usage, and avoiding the Meta mobile apps in favor of web access can reduce the scope of tracking, but cannot eliminate it for active users. The most effective protection remains maintaining no Meta account at all.