In 2018, Facebook admitted that data from more than 80 million users had been harvested by Cambridge Analytica and used to influence elections. Since then we’ve seen regular headlines about breaches, shadow data-sharing, and “claim your settlement” emails. So: is online privacy already dead? I don’t think so, but it is endangered.
TL;DR: Online privacy survives where law, tech, and habits work together. Government surveillance, platform data grabs, and security gaps keep raising the stakes but GDPR, the CCPA, privacy-first tools, and smarter user habits show how to keep privacy alive.
What “privacy” means online
A solid baseline is three ideas: freedom from intrusion (being left alone), control of personal info, and freedom from surveillance (not being constantly tracked). Move those concepts online and you get the modern fight: your behavior, location, networks, and attention are monetized unless law and product choices say otherwise.
Historically, the privacy “right” in the U.S. traces to Warren & Brandeis (1890), who argued for limits on intrusive publication. Today, the threat isn’t tabloid photographers—it’s data pipelines and ad-tech systems operating at population scale.
Cambridge Analytica: a case study in failure
The Facebook/Cambridge Analytica scandal showcased how weak guardrails enable mass data extraction. A quiz app, permissive APIs (until 2015), and friend-of-friend access enabled the construction of detailed psychological profiles used to target political messaging at scale. The FTC had already cited Facebook for policy violations, underscoring that self-regulation wasn’t enough. U.S. privacy protections proved too thin against industrial-scale data operations.
GDPR vs. CCPA: why policy design matters
GDPR (EU, 2018) set a stronger default: opt-in consent, data access and portability rights, the right to be forgotten, and 72-hour breach notifications backed by fines up to €20M (or 4% of global revenue).
CCPA (California) moves the U.S. forward but is narrower: it’s largely opt-out via “Do Not Sell” and focuses on access/deletion. It’s a start—but it’s state-level, uneven, and looser than GDPR. The U.S. will need federal action to harmonize and strengthen rights.
Tech helps (imperfectly)
Privacy-forward defaults (private search, tracker-blocking, E2E messaging) help. But vulnerabilities and misconfigurations remain. That’s why law + design + user habits have to work together: none of them is sufficient on its own.
Where we go from here
To keep privacy alive, we should push for:
- Federal GDPR-like standards in the U.S. (opt-in consent, deletion, portability, timely breach notices).
- Real enforcement so violations are too expensive to ignore.
- Privacy-first product design: minimal collection, E2E encryption, transparent dashboards, independent audits.
- User habits that favor tools and platforms with strong privacy stances.
Bottom line: Privacy isn’t dead—but it only survives if we insist on it with our legislation, our products, and our choices.
Sources & Further Reading
- Isaak, Jim & Hanna, Mina J. User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection. Computer 51(8), 2018. IEEE Xplore
-
Cookiebot. *CCPA vs GDPR Compliance with Cookiebot.* (2024). cookiebot.com - General Data Protection Regulation (GDPR) – Legal Text. gdpr-info.eu
- GDPR.eu. What is GDPR, the EU’s new data protection law? gdpr.eu/what-is-gdpr
- State of California Department of Justice. California Consumer Privacy Act (CCPA). oag.ca.gov/privacy/ccpa
- King’s College London. WhatsApp still vulnerable to security flaws discovered almost a decade ago. (2025). kcl.ac.uk
- Nix, Alexander. Cambridge Analytica – The Power of Big Data and Psychographics. YouTube, Concordia, 2016. youtu.be/n8Dd5aVXLCc
Adapted from my essay; edited for web clarity and length.