Facebook is one of today’s biggest online collectors of personal information. But are its data collection practices always above board?
Like many businesses, Facebook struggles to keep up with changing federal and international privacy laws and how to properly disclose its privacy practices to users – and it’s paying the price. Find out what controversial privacy practices Facebook is being accused of and how your business can avoid these same missteps:
1. What Allegations Are Facebook Confronted With?
On January 25, 2018, the European Justice Court ruled that the policies and practices used by Facebook – as it collects and uses the information of millions of Europeans – may not sufficiently protect the privacy of those consumers.
Facebook is facing such international legal actions due to its use of the trillions of bits of data it collects from its billion+ users without proper disclosure of that collection and use.
For the most part, these actions aim at how Facebook handles its users’ private data by either misleading them about those processes, or failing to inform them about those practices. Among the claims:
- The company uploads user data for commercial use without obtaining their consent
- It inappropriately tracks the activities of website visitors via the use of the “like” button
- It inappropriately monitors its users through Big Data analytics
- It grants third-parties access to its user’s information without informing users or gaining their consent
- It fails to obtain adequate consent to many of the other ways it uses its user data
Overall, these claims indicate that consumers across the globe want Facebook to keep their private information confidential, or give them more control over its use.
We’re at a time where companies must walk a fine line between protecting users’ information and experiences online, and avoiding censorship. For example, users around the globe fear the EU will ban memes through Article 13 of the Copyright Directive.
2. How Do These Claims Affect Facebook?
There are significant cases in several jurisdictions including France, Canada, and the United States regarding Facebook’s data collection activities. The social media giant is facing myriad consequences for its failure to meet the privacy demands of both its users and the law.
An Austria case lodged against Facebook has gained international interest. In 2010, Max Schrem sued Facebook Ireland for an invasion of privacy, which included the concerns above, and also claims that Facebook activities violate EU consumer privacy rules.
After seven years of Facebook’s procedural wrangling to have the case dismissed, on January 25, 2018, the EU Court granted Schrem permission to proceed against the company on his claim that it violated his right to privacy. The case remains ongoing.
Spain levied a US $1.4 M fine against the company for violating its data harvesting regulations, and France followed suit with a US $183,000 fine for doing the same thing. Belgium, Germany, and the Netherlands are also investigating the company for privacy violations.
And the fines may become even more onerous: the GDPR, Europe’s new General Data Protection Regulation (GDPR) which goes into effect May 25, 2018, has fines of up to 4% of an entity’s annual gross profits for violations of its extensive data privacy rules.
Are YOU prepared for the EU’s incoming privacy regulations? Find out everything you need to know about complying with the GDPR in our What is GDPR? guide.
3. How is Facebook Responding?
On January 24, 2018, Facebook COO Sheryl Sandberg asserted that the company would roll out a “global privacy center” later this year that will put all privacy settings into one place. This resource is intended to be accessible to all users, whatever their location.
The development is based at least in part on the GDPR standards, which, if/when an appropriate entity determines that Facebook has violated, could result in an assessment of over US $1 billion just on its 2016 revenues alone.
At the Facebook Gather Conference in Brussels, Sandberg said,
Our apps have long been focused on giving people transparency and control, and this gives us a very good foundation to meet all the requirements of the GDPR.
The effect of such changes both in ongoing privacy violation suits, and in potential future allegations, remains to be seen.
4. What Can You Learn From Facebook’s Experience?
Chances are, your company isn’t as ubiquitous across the globe as is Facebook, but it may still face similar challenges maintaining consumer privacy standards – especially now, if it does business in Europe or with European citizens and residents.
If even one of the fines that Facebook was slapped with in response to privacy violations were levied against most small businesses, it would likely spell their financial ruin.
To ensure that your company doesn’t fall victim to such woes, review whether your privacy policies and practices would stand up to current and incoming legal scrutiny.
Gleaning from the Facebook experience, there are two main avenues to explore:
- How your company collects and uses its consumer data
- What notifications it gives to consumers about those practices
Surprisingly, Facebook does define which data it collects and stores regarding its users, including:
- What they do while on the site, including websites they visit and ads they click on (among others)
- What they create – emails, messages, photo uploads, calendar events, and anything they store on Google Drive
- Their personally identifying information (PII), including name, gender, emails, locations, etc.
In this area, your company might benefit from Facebook’s example by generating a comprehensive inventory of the consumer data you collect, which will provide a template for the related notices you should offer.
Notifications of Usage
On the other hand, notification of data usage has not been Facebook’s focus, and its experience indicates that simply telling consumers that their data is collected is not sufficient protection of their privacy.
Courts and governments are warning data collectors that they must also give notice of how they use that data in other sectors of their enterprise and, in Europe – because of the GDPR – also get explicit consent from their users before using the data for commercial purposes.
Both Facebook’s legal concerns and the GDPR have raised the issue of how personal data will be collected and used in the future, as the right to control personal data from any source is swinging in favor of the consumer.
Your company can learn from Facebook’s legal challenges by ensuring its privacy policies include both exhaustive lists of the data it collects, and equally exhaustive notifications about where else within the entity that data might be used and for what purpose.
When it comes to notifying users of your policies, you’ll need to install a consent banner.