The recent Facebook data privacy scandal can teach businesses A LOT of important lessons about privacy.
Many feel Facebook got a slap on the wrist and didn’t learn its lesson after the Federal Trade Commission (FTC) penalized the social media giant $5 billion.
The fine came as punishment for deceitful privacy practices in the Cambridge Analytica/Facebook scandal and other privacy breaches. Facebook settled a similar charge in 2011 with the FTC. It paid the fine, but went about doing pretty much the same thing: Breaking its privacy promises to users and to the FTC.
Even though the fine is about 220 times larger than anything the FTC has imposed in similar cases, not everyone was impressed. The agency faced accusations of going light on Facebook. An irate FTC commissioner felt that this figure was so small that Facebook could still claim a profit on its crimes.
He was referring to Facebook’s stock that went up after news of the FTC’s record fine was announced.
The fine was only one part of the settlement that Facebook agreed to. The FTC “Order” also includes a new series of restrictions on the business to ensure compliance. These restrictions join a list of other procedures that provide privacy oversight.
Here’s a complete list:
- A dedicated privacy team that reviews new products
- A separate board level privacy committee
- Privacy audits
- A privacy impact assessment for every new or updated product, service, or practice prior to implementation
In a statement the FTC wrote, “…if there are any deviations, they likely will be detected and remedied quickly.”
These restrictions provide companies with a blueprint of what the FTC will be looking for in privacy policies and procedures. With new privacy laws more common than not, companies would be wise to follow these best practices.
Will the FACEBOOK data privacy scandal set a precedent?
Marc Groman, a privacy professional on the International Association of Privacy Professionals (IAPP) Board, used to work at the FTC.
In 2015, Groman wrote on the IAPP site that he felt even though “…(FTC) settlements do not act as binding precedent for other companies,” companies shouldn’t ignore best privacy practices if they want to avoid being investigated.
He recommends companies take a look at the FTC’s casebook which lists at least 180 privacy and data security enforcement actions taken by the FTC.
As the de facto U.S. privacy and data security regulator, the FTC has asked the House Energy and Commerce subcommittee during a May meeting for more resources. It would use these resources to police violations and to increase authority to impose penalties.
Privacy Laws Just Keep Coming
At the May meeting, the FTC also asked Congress to create a national privacy law that would regulate how tech giants like Facebook and Google gather, store, and share the personal data of users.
While the commission and the rest of the world waits for Congress to pass a comprehensive privacy law, many individual states are clamping down hard to protect their residents.
The number of states with these types of data security laws has doubled since 2016.
- Nevada and Maine have followed in California’s 2018 footsteps by passing new privacy protections for consumers.
- Vermont in 2018 enacted a law that requires businesses that collect and sell or license personal information to third parties to disclose to individuals which data is being collected and to permit them to opt out.
- Maine passed a law placing restrictions on how Internet service providers share Mainers’ personal information.
- Nevada passed an amendment to its online privacy law. Businesses have to offer consumers a right to opt-out of the sale of their personal information. It will take effect on October 1, 2019.
- New York, Washington and Texas each introduced similar bills to CCPA.
- Other states with tough privacy laws are Utah, Delaware and Illinois.
- According to the National Conference of State Legislatures, more than 100 privacy bills are currently pending in the states.
Privacy. It’s a public concern. Don’t ignore it.
Privacy naysayers believe that the public has thrown up its hands in light of all the data breaches.
But in the wake of the Facebook gaffe, the public’s concern over data privacy is increasing. Believe it or not, Americans are more concerned about it than job creation and health care.
Here are a surveys and studies that indicate the public does care about privacy:
- The National Telecommunications and Information Administration revealed that 45% of households said that loss of personal data control made them uneasy about sharing personal information while doing online banking, shopping or discussing controversial or political matters on social networks.
- Another study done by Deloitte Insights found that 70% of consumers would be more likely to buy from a company that was verified by a third party as having high data privacy standards.
Data is a company’s most strategic and valuable asset. Protect it.
Know your data: you can’t protect what you don’t know.
That means create a data inventory. This should include every piece of information stored or processed by your company, both electronically and/or hard copies.
Remember, you can’t comply with any law if you don’t know what data you have.
You should also make sure you know who has access to your collected data. And tell third-party organizations they will be monitored and held responsible for how they use the data.
Finally, complete a gap assessment to show you how likely you are to have an information breach. If you do this annually, you’ll be able to identify any business activities that are in non-compliance to privacy regulations.
Be the company that respects personal data
Customers will know you respect them when they see how transparent you are.
Twenty-page terms and conditions statements with data usage hidden for a single app download don’t cut it anymore.
- Don’t hide security and privacy settings behind complex menus or bury them in Terms and Conditions. It looks suspicious. And more importantly, it frustrates customers.
- Allow your customers the option of opting out anytime they feel uncomfortable.
- Be open with customers on how their data can potentially be used.
- Inform customers if you’re considering selling their data.
- Get explicit customer consent when applicable.
- Put the customers in control. Provide flexibility in the types of data they are able to share.
Conclusion: Be Proactive
The Facebook scandal has been so troubling because it highlights a massive transparency issue.
The lesson is to be proactive.
Reevaluate your data practices. Communicate them clearly and transparently to your customers. Stick to your word. You’ll come out stronger on the other side.
Don’t look at privacy laws as burdens.
Complying with regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), effective January 1, 2020, can actually help you mitigate risk and in the long run to increase your potential for a competitive advantage.
Breaches cost more money than taking steps toward compliance.
If you’re having trouble navigating your way through the plethora of privacy-related laws and regulations we can help. Schedule a consultation today.