Jason S. Miyares
Attorney General of Virginia

Image of the Virginia AG Seal

Commonwealth of Virginia
Office of the Attorney General

Mark Herring
Attorney General

202 North Ninth Street
Richmond, Virginia 23219


For media inquiries only, contact:  
Michael Kelly, Director of Communications
Phone: (804)786-5874 
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.


~ Attorney General Herring joins bipartisan coalition of 37 state attorneys general in asking for information on Facebook's business practices and privacy protections in letter to CEO Zuckerberg ~

RICHMOND (March, 26, 2018) - Today, Attorney General Mark R. Herring and attorneys general from 36 other states and territories sent a letter to Facebook CEO Mark Zuckerberg demanding answers about the company's business practices and privacy protections.


"Facebook users deserve to know how their private information is being used," said Attorney General Herring. "In an ever-changing digital landscape, it is imperative to protect consumers' sensitive information. I am extremely concerned about recent reports that a third-party used an application on Facebook to inappropriately access the personal information of millions of users without their consent. As attorneys general, we play a crucial role in protecting users' private information and holding thosewho violate their privacy accountable. I hope Mark Zuckerberg will provide us with adequate answers to our questions."


As the 37 attorneys general write in their letter to CEO Zuckerberg, news reports indicate the data of at least 50 million Facebook profiles may have been misused by third-party software developers. Facebook's policies allowed developers to access the personal data of "friends" of people who used certain applications - without the knowledge or consent of these users.


The letter to Zuckerberg raises a series of questions about the social networking site's policies and practices, including:

  • Were those terms of service clear and understandable?
  • How did Facebook monitor what these developers did with all the data that they collected?
  • What type of controls did Facebook have over the data given to developers?
  • Did Facebook have protective safeguards in place, including audits, to ensure developers were not misusing the Facebook user's data?
  • How many users in the states of the signatory Attorneys General were impacted?
  • When did Facebook learn of this breach of privacy protections?
  • During this time frame, what other third-party "research" applications were also able to access the data of unsuspecting Facebook users?

The attorneys general write in the letter: "Facebook apparently contends that this incident of harvesting tens of millions of profiles was not the result of a technical data breach; however, the reports allege that Facebook gave away the personal data of users who never authorized these developers to obtain it, and relied on terms of service and settings that were confusing and perhaps misleading to its users."


Joining Attorney General Herring in signing today's letter were attorneys general from Alabama, American Samoa, California, Colorado, Connecticut, Delaware, District of Columbia, Guam, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Vermont, and Washington.


To view a copy of today's letter and the full list of signatories, please click list of signatories.


# # #