According to James Grimmelmann, professor of law at the University of Maryland, the recent controversial studies by Facebook and OkCupid violated Maryland’s research ethics law. For past posts on the studies see here and here. The long version of Grimmelmann’s argument is up on Medium. The short version is:
Maryland’s research ethics law makes informed consent and IRB review mandatory for all research on people, even when carried out by private companies. As we explain in a letter to Maryland Attorney General Doug Gansler Facebook and OkCupid broke Maryland law by conducting experiments on users without informed consent or IRB review.
Not only does Maryland require IRB and informed consent for research, it also requires that IRB meetings provide documentation on request, which both FB and OkCupid have failed to do. Grimmelmann and a colleague, Leslie Meltzer Henry, have asked the Attorney General of Maryland to enjoin the companies from conducting further research until they enter into compliance.