Privacy, Social Media

What’s next for Facebook?

Facebook_Thumb_IconNow that the cameras have gone, the booster cushion has been removed from the witness chair, and Mark Zuckerberg is comfortably back in in Palo Alto, having survived his marathon two-days of testimony in front of a somewhat confused Congress, what’s next? 

Regulations  

Following the revelations that a political marketing firm, Cambridge Analytica, improperly obtained personal information from approximately 87 million Facebook user profiles (including even Mark Zuckerberg’s!), Congress has more support than ever to regulate Facebook and other social media tech.  On his ‘apology tour,’ and in congressional testimony, Zuckerberg has said he is open to some form of oversight.  “The internet is growing in importance around the world in people’s lives and I think that it is inevitable that there will need to be some regulation,” he said.  But just what that regulation would look like remains unclear. 

Some lawmakers cited the ‘weakness of the current system’ and failures of tech firms to self-police in arguing that legislative oversight, and even a new bureau, might be necessary.  “Would it be helpful if there was an entity clearly tasked with overseeing how consumer data is being collected, shared and used, and which could offer guidelines, at least guidelines for companies like yours to ensure your business practices are not in violation of the law,” Rep. Raul Ruiz, a Democrat from California, asked at the House hearing. “Something like a digital consumer protection agency?”  Zuckerberg deferred, hinting at a long road toward that compromise.  “Congressman, I think it’s an idea that deserves a lot of consideration,” he said. “But I think the details on this really matter.”  Those details will take some time to negotiate.  In the meantime, an FTC investigation is picking up steam.

FTC investigation  

The Federal Trade Commission is the top cop on the privacy beat, with a mandate to protect consumers from unfair and deceptive trade practices.  In a March statement announcing the opening of an investigation into Facebook’s privacy practices, Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection, said, “The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers.  Foremost among these tools is enforcement action against companies that fail to honor their privacy promises.”  Facebook’s privacy promises – going back to 2011 – are all under intense scrutiny.

In November of 2011, Facebook reached a settlement with the FTC regarding claims they had engaged in ‘unfair and deceptive practices’ by publicizing data that users thought was private.  To settle that action, Facebook signed a consent decree with the FTC, agreeing not to share users’ data with third parties without their express consent, to give consumers clear and prominent notice before sharing their information beyond their privacy settings, and to maintain a comprehensive privacy program to protect consumers’ information.

The reopening of the FTC investigation is aimed at determining whether Facebook upheld that agreement.  “We remain strongly committed to protecting people’s information,” said Rob Sherman, deputy chief privacy officer at Facebook. “We appreciate the opportunity to answer questions the FTC may have.”  The FTC will no doubt seek answers to questions concerning Facebook’s policing of the information that Cambridge Analytica was able to collect. 

In his testimony before Congress, Mr. Zuckerberg explained that, although the company has since changed its policies, this was the “way that the platform worked, that you could sign into an app and bring some of your information and some of your friends’ information.” In effect, Zuckerberg argues, there was no violation of the consent decree because the 87 million users effectively consented to sharing their personal data on the platform, though they may not have explicitly agreed to share that information with Cambridge Analytica.   

If the FTC finds that Facebook did, in fact, violate the terms of the consent decree by allowing Cambridge Analytica to acquire the data of more than 87 million users without their consent, and that Facebook should have done more to protect the data than simply accept a declaration that the data had been destroyed in 2015, there may be substantial fines in store for Facebook.  Each violation could merit a fine of more than $40,000, per user, per day, which, when multiplied by the 87 million users affected by the Cambridge Analytica leak could amount to trillions of dollars.  While it is unlikely that the FTC would impose a fine of that magnitude, any monetary penalty assessed against Facebook would be significant, both for Facebook’s bottom line (currently valued at over $480 billion) and for what the precedent would do to Facebook’s business model, which is based on collecting and using data to sell ads.

Facebook’s Defense

It is important to note that Facebook denies any wrongdoing with respect to the Cambridge Analytica leak, and even finds fault with the characterization of what occurred as a “breach.” Facebook’s Vice President, Andrew Bosworth, defended the company on Twitter. “This was unequivocally not a data breach,” Bosworth said. “People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. No systems were infiltrated, no passwords or information were stolen or hacked.” 

Strengthening Facebook’s case is a recently disclosed audit report prepared for the FTC even after Facebook had lost control of the user data, stating that the company had sufficient privacy protections in place.  PricewaterhouseCoopers told the FTC that, over the period of time from February 2015 through February 2017, “Facebook’s privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy” of its users.  It is unclear whether or not the company disclosed the leak to the auditors, however, and it seems likely that will be part of the FTC’s investigation.  Rob Sherman said Facebook remains “strongly committed to protecting people’s information” and appreciates “the opportunity to answer questions the FTC may have.”

During Mark Zuckerberg’s appearance at the Senate hearing, Senator Orin Hatch asked:  “how do you sustain a business model in which users don’t pay for the service?”  Zuckerberg calmly explained: “Senator, we run ads.” He, and his company, might need to expand on that business model in the post-Cambridge Analytica regulatory landscape.

Leslie Pedernales

About Leslie Pedernales

Leslie Pedernales works with clients to develop communication strategies as part of integrated government relations initiatives. She partners with her clients to understand their business objectives and priorities so she can provide practical counsel and help them formulate successful legislative and legal strategies.

Discussion

No comments yet.

Leave a comment

Your email address will not be published. Required fields are marked *

Welcome to Data Points!

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached.

Connect To Recent Authors

  • Karin McGinnis:  View Karin McGinnis' Bio View Karin McGinnis' LinkedIn profile
  • Todd Taylor:  View Todd Taylor's Bio View Todd Taylor's LinkedIn profile
  • Brandon Gaskins:  View Brandon Gaskins' Bio View Brandon Gaskins’ LinkedIn profile
  • Robert Sumner:  View Robert Sumner’s Bio
  • Carol Bowen:  View Carol Bowen's Bio View Carol Bowen’s LinkedIn profile

  • Subscribe to Blog via Email

    Follow MVA

    Facebooktwitterlinkedinrss

    Blog Topics

    Archives

    Interested In Other Topics?

    Tell us what else you are interested in here.

    Our Privacy & Data Security Practice

    Moore & Van Allen has a Privacy & Data Security practice with the depth and breadth to advise the multitude of business industries and practices impacted, including sales, human resources, data maintenance and storage, IT, legal and compliance, labor and employment, health care, finance, cross-border transactions, energy and litigation. All require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. To help our clients successfully navigate their data security challenges and manage their risk in these areas, our multi-disciplinary team draws on their deep experience in addressing data privacy and information security obligations and disputes. Read More About Our Practice and Meet the MVA Privacy & Data Security Team.

    Disclaimer

    No Attorney-Client Relationship Created by Use of this Website: Neither your receipt of information from this website, nor your use of this website to contact Moore & Van Allen or one of its attorneys creates an attorney-client relationship between you and Moore & Van Allen. As a matter of policy, Moore & Van Allen does not accept a new client without first investigating for possible conflicts of interests and obtaining a signed engagement letter. (Moore & Van Allen may, for example, already represent another party involved in your matter.) Accordingly, you should not use this website to provide confidential information about a legal matter of yours to Moore & Van Allen.


    No Legal Advice Intended: This website includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. You should contact an attorney for advice on specific legal problems. (Read All)