They got the data from Facebook before 2014. Facebook didn't sell it to them. Facebook just GAVE it to them. Up until that time Facebook allowed Facebook applications to not only get profile data from the user who ran an application but allowed them to get profile data from the friends of that user. The terms of service ALWAYS said that you were sharing your friends' profile data. Most people just didn't read them.
This stretch to friends' profiles was removed in 2014.
Cambridge Analytica used Amazon's Mechanical Turk to engage about 270,000 users to run an application (e.g., a game or survey) on Facebook that gave Cambridge Analytica access to 50 million other users' profile data who were "friends" of that group.
You can split hairs about who violated whose terms of service but the result is that millions of Facebook users' personal data was shared and used for data mining.
It raises serious questions about how Facebook handles your personal data. Especially after you read this 2016 memo (archive.is) from a Facebook Vice President.
Mark Zuckerberg had an interview on the BBC in 2009. Here's an excerpt of it:
BBC: So who is going to own the Facebook content, the person who puts it there or you?Watch it below.
Zuckerberg: The person who's putting the content on Facebook always own the information.
BBC: Are you going to sell it?
Zuckerberg: No, of course not.
As noted above Facebook didn't SELL the information. They just GAVE it away.
And it's not just profile data that Facebook was gathering and retaining. TechCrunch (a Verizon property) had an article recently that described Facebook's tracking Android users’ SMS and phone call metadata as "concealment."
So what can you do?
A friend of mine recently posted on Facebook:
Hey everyone...I am deleting my FB account and messenger on . My Instagram account is . You can find me there. If you want my email addy or telephone number, please just reach out.Here's my reply:
Google (and your ISP) has similar data but it's not apparent YET that Google gives/sells it like Facebook. There's no telling what the ISPs are doing with it.The Wall Street Journal (WSJD) has had a couple of good articles on Facebook privacy. If you don't have a subscription I've included a technique at the end of this post that may let you read them. Unfortunately it requires you to use Facebook.
Like you, I signed up for Google Plus at the beginning and go there once a week or so. Honestly there's no one on it.
No good answer other than to recognize that all these big companies have access to broad data about you and with "big data" tools they can analyze it and monetize it.
The good news is that unless you are a "target" (e.g. CFO at a Fortune 1000 company) nobody much cares what web sites you go to or where you live.
One article gives you a step by step of how to dump Facebook. To turn off apps, go here. To manage ads, go here. This link will show you where Facebook has tracked you. Delete them all.
Another article described how to download your Facebook data and what to look for.
You can request a folder of the things you have uploaded to or shared on Facebook from all your sessions on various devices - plus other curious information - to save on your computer. Here are instructions. Once you unzip the folder, open the "index.htm" file in a browser, and start looking around.Here's the list of the behind-the-scenes data that Facebook keeps on you.
What isn't in this single download is a lot of the behind-the-scenes data that Facebook may use to increase engagement and target ads. For instance, it doesn't list people who might have uploaded your phone number or other information when syncing their contacts with Facebook. It doesn't say what ads third-party data providers have targeted at you, or which bit of your grocery shopping or web browsing prompted such ads. (No, Facebook isn't listening through your microphone - it doesn't need to.)
And if you're worried about Facebook you may be worrying about the wrong thing. Go read this article on your ISP.
And Google? OMG! Here's how to see what they have.
So what do you do?
Scott McNealy, the founder of Sun Microsystems said (archive.is):
You have zero privacy anyway, Get over it.The reality is that individually you're not much of a target. Unhook as much of Facebook as you can. And always read the terms of service carefully.
The way I read WSJ articles is to paste the URL into Facebook's "What's on your mind?" box then change the audience to "Only me" and post. Then when I click on the link in the private post it opens to the full story. Then I delete the private post. Remember to change the audience back to whatever you usually use.