Facebook profile on Apple iPhone 6s Facebook profile on an Apple iPhone 6s. |

In the uproar that ensued after it was revealed that Cambridge Analytica collected the data of around 87 million Facebook users, some of the social media site's customers downloaded all their Facebook data to see just what personal information it held. What some users found led to even more outrage. Among the usual Facebook content of personal posts and friend requests were also the metadata of their SMS texts and calls.

Facebook has publicly stated it always asked for consent before collecting such information from users. On April 4, the social media company also changed its policy to delete all collected SMS and call logs older than one year. But the way in which consent was requested and gained to collect SMS and call log data has privacy advocates crying foul, and it may lead to legal liabilities for the social media company and Google's mobile operating system Android.

Ars Technica reported that in Android systems older than version 4.1, which was released in 2012, permission requests were bundled. “The older versions of Android basically asked for the 'read contacts' permission, so users assumed that would be their address book. But what they did was bundle that into the call log” to also collect SMS and call metadata, Shawn Davis, director of digital forensics at Edelson, told LTN.

While the permission requests have the capability to be split and are more specific in newer versions of Android operations systems, according to Ars Technica, they could still be presented as bundled by mobile applications. It is not yet known, however, whether bundling permissions will lead to legal burdens for Facebook or Android.

Jarno Vanto, a shareholder at Polsinelli, noted that while EU law, under the 1995 Data Protection Directive, and the upcoming General Data Protection Regulation (GDPR) forbids such permission bundling, its legality is less clear under U.S. law. “One of the key requirements under the Federal Trade Commission (FTC) Act is that any consumer disclosure in a privacy policy or on a web form must provide information that is truthful and that describes the actual practices of the company,” he said.

He specifically pointed out that Section 5 of the FTC Act defines what constitutes deceptive notice practices, and it enables the FTC to go after such activity. But, Vanto added, “I would not go so far as to say that these kind of vague permissions amounts to deceptive acts. At worst, it is kind of a failure to provide meaningful information to consumers about the choice they are making.”

Rebecca Rakoski, managing partner at Xpan Law Group, however, believes there is a distinct possibility the FTC looks into the matter. “It certainly is something we should all be watching, because the FTC is going to be incentivized to move forward and to make sure these privacy laws are being shored up in a more modern fashion rather than the old way of approaching privacy,” she said. “We are in a new realm with the way we exchange information over social media, and the law has not quite caught up to that.”

Jordan Fischer, managing partner at Xpan, added that the way the permissions were bundled can still be a privacy issue, despite the fact that such bundling may have only applied to older versions of Android in many instances. “It doesn't negate the fact that, for a period of time, they didn't ask for specific permission. It might mitigate any sanction they might receive, but it doesn't necessarily do away with the privacy violation.”

Beyond the FTC, Facebook and Android may face further scrutiny from states that have robust privacy laws, such as California, Rakoski said. “It would be important that you look not just at the federal level but also the state level.”

Whether the Facebook or Android face any legal problems remains to be seen, but it is clear that after Facebook's recent troubles, consumers are expecting a higher level of transparency from social media and internet companies.

“I think that the amount of public backlash and outrage we are seeing demonstrates that even though there are these permissions you can see and you have to grant before the apps can access your phone, they weren't clear enough, and that's why consumers are so upset at them,” said David Mindell, partner at Edelson.

“I think the problem is more the transparency of the disclosure and the accuracy of the disclosure that is made,” he added.