California Attorney General Rob Bonta on Thursday announced a $50 million settlement with Meta Platforms Inc., resolving allegations that the company deceived millions of users about privacy controls and allowed third-party apps to improperly access personal information for years.

The settlement, pending approval by a San Francisco Superior Court judge, stems from allegations that Meta misled Facebook users about their ability to limit who could see their personal details, including information that was collected and sold to Cambridge Analytica in a 2013. The practice affected an estimated 7 million Facebook users in California.

Under the agreement, Meta will pay $50 million in civil penalties and implement reforms to how it oversees third-party applications on the Facebook platform for the next three years. The company did not admit wrongdoing as part of the settlement.

The settlement amount is a drop in the bucket for the social media behemoth. According to a January 2025 statement (opens in new tab), Meta generated $164.5 billion in revenue for the 2024 fiscal year; the settlement would amount to about 0.03% of that. Earning revenue at the rate of $18.78 million per hour, the company would have needed just under 2 hours and 40 minutes to cover the cost. That’s more than enough time to screen the David Fincher-directed 2010 movie “The Social Network,” plus a generous amount of trailers.

Looking at it from another angle, $50 million is equal to 0.17% of the $29.75 billion Meta shelled out to repurchase its Class A common stock that same year.

The complaint centered on what Facebook users were told about protections for their personal information versus what Meta allowed third parties to do. Meta told users they could restrict their data to “friends” on Facebook through privacy settings. But the company simultaneously granted millions of third-party apps access to that information through the Facebook App Platform, a tool for app developers that was distinct from the main social media site.

According to court documents, Meta CEO Mark Zuckerberg and other senior executives knew about privacy risks as early as 2012 but delayed action, possibly to protect the company’s declining stock price.

The settlement requires Meta to maintain comprehensive policies governing how third-party developers can access user information, including clear disclosures about what data apps collect and how it is used. Meta must also establish a “robust enforcement program” to monitor app developers’ compliance with its policies.

The three-year agreement says Meta must disclose to users what information third-party apps will access before users authorize the apps, and provide an option to withhold authorization.

“By settling this matter with no admission of wrongdoing, we’re choosing to focus on the future,” a Meta spokesperson said. “This settlement relates to a years-long dispute about repeatedly debunked allegations regarding old practices that are no longer relevant to how Meta’s products or systems work. We look forward to continuing to build products Californians love and trust.”

Meta must also create enable users to review which apps have access to their data, including when apps last accessed information. The settlement stipulates that Meta will periodically review that third parties comply and notify users when there are violations, among other terms.

The settlement also requires Meta to submit twice-yearly enforcement reports to its board of directors and make those reports available to the attorney general upon request. An executive must report annually to the board on compliance with the judgment.

According to the complaint, Meta made changes to Facebook privacy settings in December 2012 that removed references to third-party apps from the main privacy page and buried app-specific controls where few users would find them. The company also granted certain “whitelisted” apps special access to user data that bypassed privacy settings entirely.

The attorney general’s investigation found that despite estimating that hundreds of thousands of apps violated its policies by accessing unnecessary user data, Meta could identify only 63 enforcement actions between 2012 and 2018. The complaint alleges that Meta made at least seven false public statements between 2010 and 2016 claiming it aggressively enforced policies to protect users.

In court files, the company stated that it was settling “for the sake of resolution” without admitting facts or legal claims alleged in the complaint.

The settlement comes years after the Cambridge Analytica scandal became public in 2018, revealing that the British consulting firm had obtained data from millions of Facebook users without their consent. The information was used for political advertising during the 2016 presidential election.

The settlement will remain in effect for three years and must be implemented within 180 days. The court retains jurisdiction to enforce compliance.