Facebook, Cambridge Analytica, and Data Privacy at a Turning Point

With news unfolding about an app that was able to gather 50 million Facebook users' data that was later resold to a political data firm in order to try to influence American voter sentiment, industry leaders are weighing in on what this may mean for the future data governance and regulatory compliance.

According to the New York Times, Cambridge Analytica’s “psychographic modeling” was used in its work for the Drumpf campaign in 2016. “But Facebook did not inform users whose data had been harvested,” the Times article noted.

As the article explained, the Facebook data was gathered in 2014, when Cambridge Analytica, through an outside researcher, sought Facebook users “to take a personality quiz and download an app, which would scrape some private information from their profiles and from those of their friends—activity that Facebook permitted at the time.”

While not a breach or hack, the use of the data by a third party, and the particular purposes it was collected for, has drawn outrage from lawmakers and Facebook customers, and prompted heightened interest in regulations that could enable individuals to control the use of their data.

Calling it “Facebook’s worst crisis since it was founded,” another Times article stated that after recently learning from news organizations that Cambridge Analytica  had not deleted all of the data it had obtained, Facebook banned the consulting firm and the researcher who created the personality quiz app.

Against the backdrop of the EU’s GDPR, which is set to take effect in May 2018, as well as the ongoing push for marketers to gather extensive data to know their customers’ preferences and dislikes, industry leaders offered their insight on what the fallout may be and what is likely to change.

“Why is anyone surprised by these revelations? Corporate America has had a habit of violating laws, getting caught, and paying the fines out of petty cash so who wouldn’t want  to make hundreds of millions of dollars to pay a fine of a few million? Clearly, the FTC does not have a habit of making sure that the fine fits the crime,” commented Michael Corey, co-founder of LicenseFortress, and a Microsoft Data Platform MVP, Oracle ACE, and VMware vExpert. 

But the thing that is odd, mused Corey, is that Facebook and the others involved didn’t just get users' consent to go do this. “So often, companies throw up a page of legalese and say ‘to continue check the box’ and nobody reads it anyway and they are under no obligation to make sure that even if they did read it, they could understand it,” said Corey.  “If they had done that, there would have been nothing we could have done about it.”

The U.S. has long played fast and loose with personal information with a default of making such data public-first, added Kevin Kline, principal program manager at SentryOne, a Microsoft Data Platform MVP since 2003, and a founding board member of PASS.

Today, HIPAA, which represents the most regulation we have seen in this space, is related to health, Kline noted.  “It’s regulated because we can easily imagine how such data might be misused, say by an insurer who wants to cover only healthy people." This public-first default on sites like Facebook, LinkedIn, and Twitter may not seem to present much of a downside, but think further on that, he cautioned. "I keep telling my friends and family, ‘If you’re using a highly-valuable website that doesn’t charge a fee, the product is you.’”

While it was “clearly unethical and destructive to the bedrock American institution of elections,” the Facebook-Cambridge Analytica fiasco did not break any laws, Kline continued, adding, “It is my hope that this incident will nudge America toward a privacy-first mindset for their personal information, much as GDPR has done for the EU.”

Actually, according to Lisa Loftis, principal consultant, CI Advisory Services – SAS Best Practices, “the ‘in policy’ nature of the original data collection process makes the situation considerably worse. Equifax and Uber have thus far escaped substantial issues arising from their high-profile data security breaches. Facebook might not.” Within days of the Cambridge Analytica story surfacing, Loftis observed, “Facebook stock plummeted, its CEO was threatened with an appearance in front of the Senate Judiciary Committee, and its chief of security has stepped down. In addition, UK authorities are investigating Cambridge Analytica and could easily widen the scope to include Facebook.”

The question of whether consumers have rights to their own data, even when freely provided in exchange for no-cost services is a murky area that still has to be thought through, and potentially litigated, noted  Joe McKendrick, Unisphere Research lead analyst and independent author. “Right now, when a company gathers data on customers, it is assumed that the company assumes all rights to that data. In Europe, there has been pushback against that arrangement, especially with the impending GDPR mandates and the increasingly asserted ‘right to be forgotten.’”

It remains to be seen if similar regulations will emerge in North America and elsewhere in the world, McKendrick said.  “But even without GDPR-type regulations, there is increasing pressure on organizations to provide for ‘opt-in’ choices by consumers to how their data is used, as well as more effective governance of data within corporate walls. We're seeing that data is no longer the exclusive property of those who gather it.”

Security breach or not—the issue of how Facebook (and the apps that reside on its platform) collect, distribute and use customer data is significant, agreed Loftis. “I have long predicted that the GDPR will raise the bar on expectations of privacy and control, ultimately resulting in customers migrating to companies who implement strict data rights and protections regardless of whether they are legally required to do so.”

Though the revelations from the Facebook/Cambridge Analytica situation have been troubling, some believe in the long run there may be a benefit for marketers because it will promote change in terms of addressing customer preferences and supporting more targeted campaigns.

"Providing a consent preference center (privacy by design) for individuals to determine the exact ways that they want their data processed or forgotten, across all points along the customer journey such as website, email, campaign system, will enable a degree of communication personalization that many organizations don’t provide today," said Brian Cleary, vice president, solutions marketing, RedPoint Global. When individual preference is understood, organizations will be able to increase the relevancy of communication they send out—which will improve the delivery of customer experience across all interaction touchpoints. "The more relevant communications delivered to an individual, the better the business benefit. Consumer marketing organizations can realize a 15% to 19% revenue uplift as well as a substantial reduction in recipient opt-out rates. In addition, having an automated process for operationalizing data use preference requests will eliminate the manual processes associated with data governance across multiple customer engagement systems and reduce the cost of demonstrating compliance with regulations by capturing a complete audit trail of actions related to the request including how long you’ve held their data for and with whom you’ve shared it."

That silver lining notwithstanding, the old adage that "if you're not paying, you are the product," was repeated often as industry leaders reflected on the current situation.

“We're now seeing this dynamic manifested in the Cambridge Analytica-Facebook scandal. Facebook has been a massive, valuable service provided to consumers at no cost to them. But there is a cost—the exchange of rights to one's data in exchange for being at the receiving end of targeted advertising and promotions,” said McKendrick. In addition, he emphasized, Facebook users are not just individuals, but also represent the many enterprises that participate in and leverage Facebook as part of their social media presence.

The problem in an increasingly cloud-connected world, said Corey, is that when you do business with a vendor you need to ask who they do business with and what they are doing to protect the data as they as they hand it off. "In corporate America, before we hand data to any third party, we should know who their third parties are.”

There may be much that can be learned from the EU, observers conceded. “There is a lot I don’t like about GDPR but what Europe is attempting to do is put some protection around our data in the cloud,” said Corey. Mandates for breach notification within 72 hours, penalties of up to 4% of worldwide revenue, the concept of consent given in terms that can be understood, and the concept of permission will have an impact, said Corey. “This is a chance for everyone to wake up.”

What is the bottom line? “The outrage is significant enough that I expect to see legislation in the U.S. regarding the use of Facebook data by third parties,” said Loftis. “Whether or not this legislation is as extensive as the GDPR, this incident is a cautionary tale for any marketer planning to use Facebook data in their campaigns. At minimum, I suggest putting plans in place to inform consumers of the personal data collected from Facebook. More comprehensive approaches may extend to obtaining consent for the intended uses for that data.”   
Ultimately, the Facebook/Cambridge Analytica news may be a catalyst for further consumer privacy improvements in the U.S. and perhaps beyond, said Cleary. "This is a good thing for marketers, where much like GDPR and similar privacy mandates, there lies an opportunity for enterprises to take control of their data and implement a single point of control to maintain consumer privacy preferences. A single point of control over how citizen/employee/customer/consumer data is acquired, processed, used and governed is a long time coming. With the volumes of consumer data being created each day, we need it now more than ever."