AG Racine Sues Mark Zuckerberg for Failing to Protect Millions of Users' Data, Misleading Privacy Practices

Extensive Evidence Shows Facebook CEO Was Personally Involved in Allowing Abuse of User Data Leading to Effort to Manipulate 2016 Election

WASHINGTON, D.C. – Attorney General Karl A. Racine today sued Facebook CEO Mark Zuckerberg for directly participating in decision-making that allowed the Cambridge Analytica data breach – the largest consumer privacy scandal in the nation’s history – while Facebook misled users with claims of privacy and data protection.

In the lawsuit, the Office of the Attorney General (OAG) recounts evidence compiled across a sweeping investigation to allege Mr. Zuckerberg contributed to Facebook’s lax oversight of user data and implementation of misleading privacy agreements. As a result, it allowed third-parties, such as political consulting firm Cambridge Analytica, to obtain personal data from 87 million Americans, including over half of District residents, and use that data to manipulate the 2016 election.

“Since filing our landmark lawsuit against Facebook, my office has fought tooth and nail against the company's characteristic efforts to resist producing documents and otherwise thwart our suit. We continue to persist and have followed the evidence right to Mr. Zuckerberg,” said AG Racine. “The evidence shows Mr. Zuckerberg was personally involved in Facebook’s failure to protect the privacy and data of its users leading directly to the Cambridge Analytica incident. This unprecedented security breach exposed tens of millions of Americans’ personal information, and Mr. Zuckerberg’s policies enabled a multi-year effort to mislead users about the extent of Facebook's wrongful conduct. This lawsuit is not only warranted, but necessary, and sends a message that corporate leaders, including CEOs, will be held accountable for their actions.”

This action follows OAG’s review of hundreds of thousands of pages of documents produced during litigation of an ongoing lawsuit filed in December 2018 against Facebook. As part of the litigation, OAG conducted a wide range of depositions with Facebook’s directors, former employees, and whistleblowers, and examined hours of Mr. Zuckerberg’s public statements, including sworn testimony before the U.S. Senate and other law enforcement agencies. This evidence confirmed Mr. Zuckerberg’s direct oversight of major decisions that led to Cambridge Analytica’s, and other third-parties’, mass collection and manipulation of user data and Facebook’s misrepresentation to users about the security of their personal information.

In the run-up to the 2016 presidential election, Facebook, under Mr. Zuckerberg’s control, allowed a third-party to launch an app claiming to be a “personality quiz” which also collected data from the app users’ Facebook friends without their knowledge or consent. The app’s developer then sold this data to Cambridge Analytica, which used it to help presidential campaigns target voters based on their personal traits. An investigation by OAG found that this abuse was among the many examples of Facebook’s failure to adhere to its promises to protect consumers’ data, violating the District’s Consumer Protection Procedures Act (CPPA), which prohibits unfair and deceptive trade practices. Under the CPPA, individuals are liable for a company’s actions if these individuals knew about, controlled, or failed to stop, the company’s actions.

In the lawsuit, OAG alleges Mr. Zuckerberg:

  • Served as Facebook’s co-founder, Chief Executive Officer, and as a member of Facebook’s Board of Directors, overseeing Facebook’s operations: Since 2012, he has served as Chairman of Facebook’s Board and controls approximately 60% of the voting shares. At all times relevant to the lawsuit, evidence showed Mr. Zuckerberg was responsible for and had the clear ability to control Facebook’s day-to-day operations.
  • Enabled Cambridge Analytica to use Facebook data and influence voters: In the run-up to the 2016 election, Cambridge Analytica was able to access Facebook users’ data because of Mr. Zuckerberg’s vision of opening up the Facebook platform to third parties. Such efforts enabled Cambridge – and companies like it – to abuse their access and take massive amounts of user data out of Facebook through a side door that was an open secret to developers and Facebook alike. Evidence shows Mr. Zuckerberg was intimately involved both in envisioning and administering this new regime. Meanwhile, Facebook represented to users that their data was safe.   
  • Built Facebook into a company with remarkable influence where its decisions impact users across the globe: Facebook has grown from a simple website for “sharing” information with friends to one with unprecedented influence on the world, and with an unelected person at the helm of that company. Now that Facebook has grown larger than any country on earth, with revenues exceeding the economies of many nations, Mr. Zuckerberg’s decision-making has global implications including impacting the data and privacy of hundreds of thousands of users in the District.   

A copy of the complaint against Mr. Zuckerberg can be found here.


This lawsuit builds on AG Racine’s efforts to hold big tech companies and their executives accountable for their actions and to stand up for District residents facing deceptive, predatory practices. OAG has pursued lawsuits against some of the world’s biggest tech companies for anticompetitive behavior and dishonest, insufficient privacy practices that illegally mislead consumers for their own profit.

Among many other actions, AG Racine filed a lawsuit against Facebook for failing to protect the data of its users when Cambridge Analytica acquired and used that data to manipulate the 2016 election. He filed an antitrust lawsuit against Amazon to stop anticompetitive and unlawful behavior that controls prices across the entire online market. He sued Google for deceiving and manipulating consumers to gain access to their location data, including making it nearly impossible for users to stop their location from being tracked. He introduced legislation before the DC Council – which passed in 2020 – to modernize the District’s data breach law, strengthen protections for residents’ personal information, and prevent identity theft. AG Racine has also worked to make sure gig economy companies – like DoorDash, Instacart, GrubHub, and Getaround – follow the same laws as brick-and-mortar businesses, including wage and hour laws.

Protecting Yourself Online
District consumers should take the following steps to protect their personal information when using social media platforms like Facebook here. For more information on how to protect your data online, visit OAG’s Consumer Protection Library here.

How to File a Consumer Complaint
Consumers can report data theft, scams, and unlawful or abusive business practices by calling OAG’s Office of Consumer Protection at (202) 442-9828, emailing, or submitting a complaint online using OAG’s Consumer Complaint Form.