In April 2018, Mark Zuckerberg testified before the US Senate and then the House of Representatives about Facebook's data practices and the Cambridge Analytica situation. Cambridge Analytica, a political consultancy, had obtained data on approximately 87 million Facebook users through a third-party app that had exploited Facebook's permissive API access policies, and had used that data for political targeting.
The testimony generated an enormous amount of coverage. Parts of it were significant. Parts of it were revealing for the wrong reasons.
Zuckerberg was composed, prepared, and notably careful. His repeated answer of I will have my team follow up on that managed to defer many specific questions without appearing evasive enough to create a larger story. He was also operating in an environment where several legislators demonstrated so limited an understanding of how Facebook's business actually worked that their questions were difficult to answer usefully. The moment where a Senator asked how Facebook makes money if it is free, and Zuckerberg replied Senator, we run ads, became an emblem of the knowledge gap between the people who would regulate the industry and the industry they were attempting to regulate.
The substance of what the Cambridge Analytica situation revealed was more important than the testimony itself. Facebook had built an advertising platform whose fundamental product was detailed information about its users. It had allowed third-party developers access to user data at a scale that its terms of service nominally limited but its enforcement mechanisms did not actually prevent. When Cambridge Analytica's access came to light, the data had already been used. The users affected had no practical way to know their data had been harvested or what it had been used for.
What changed in the aftermath was the seriousness with which regulators in multiple jurisdictions began examining platform data practices. The FTC investigation that had been ongoing took on greater urgency. The European regulators, who were weeks away from GDPR going into effect, had fresh material to work with. Facebook committed to changes in how third-party developers could access user data. Whether those changes were sufficient was a question that took considerably longer to work through.