Poor internal controls, political impacts, and lack of data usage transparency at Facebook have elevated privacy concerns for regulators, advertisers, and investors globally. The broad use of social media has desensitized most Americans to the risk of exposing vast amounts of personal information to companies like Facebook and Google. Will this event materially harm Facebook?
Facebook has the technical skills to fix it going forward and will be a much better company if it does so. The problem is the historical data provided to third parties is not recoverable, and there will be regulatory fines and regulation. “Facebook began in 2007 letting outsiders access its ‘social graph’ – the friend connections, interests, and ‘likes’ that links its user base together. By 2015, Facebook had largely stopped access to users’ friend connections, though political campaigns could still find would-be supporters by buying ads and using Facebook’s targeting tools” (Tau).
I have managed a Privacy function for more than seven years, so I have a road map of activities that Facebook should consider.
1) Establish an internal Data Governance team for data control, capture consent for data collected, provide transparency for data given to third parties, and improve news/reporting integrity. Most financial institutions have established data owners and data stewards for data governance.
2) Recognize that all consumers have different privacy expectations varying from indifference to protective. Create a system to capture user’s preference at the data element level and honor each user’s choice.
3) There are numerous ways of masking personal data: using pseudonyms; encrypting certain sensitive data elements tagged by the user; and aggregating numerous users’ data into an autonomous virtual identity with similar characteristics (NOTE: the old rule of thumb of 10 aggregated individuals with similar behaviors is completely inadequate given today’s Big Data models). Additionally, “Computer Scientists have developed algorithms, sometimes called ‘differential privacy’ that randomizes or modifies data in ways that make them useful for academic research but not for other purposes. Apple has pioneered the use of this tool” (Duan).
4) Utilize data mining to review partners’ Privacy Notices and ensure that data is used according to the most current and restrictive Privacy Notice policy. Ensure that all contracts have data usage audit requirements or data is stored on a jointly-managed protected server.
5) Establish computer system requirements with partners that allow Facebook to delete Facebook’s user data on partners’ systems, thereby allowing user data to “be forgotten” as required under the EU General Data Protection Regulation.
6) Verify that Facebook and third-party developers are adhering to all regulatory requirements. Democratic Sens. Mark Warner of Virginia and Amy Klobuchar of Minnesota are the co-authors of the Honest Ads Act bill that would subject online political ads to the same rules and restrictions as those for TV, radio, and satellite” (Swartz). Mark Zuckerberg is supportive of the Honest Ads Act. Facebook is already under investigation by Canada’s privacy commissioner (Seetharaman).
Mr. Zuckerberg and Ms. Sandberg have proactively defined an approach to determine what data has been captured and misused. “In an interview with CNN, a contrite Zuckerberg vowed to mount a ‘full investigation’ of thousands of apps with access to wide swaths of data ‘before we locked down our platform in 2014.’ ‘There will always be bad actors’ trying to misuse the platform, his No. 2 Sheryl Sandberg, told CNBC. ‘We are taking aggressive steps to be more transparent’” (Swartz).
Facebook’s greatest regulatory problem is securing user data collected by data miners and developers in the past to build apps and services. Facebook said it would audit apps that show suspicious patterns on how they pulled data. Developers, who have misused data or refuse to submit to an audit, will be banned from Facebook and their users notified (Seetharaman).
Investor Concerns
“Trillium Asset Management suggested establishing a risk oversight committee at the Board level. The New York State Common Retirement Fund asked Facebook to review and report on ‘the efficacy of its enforcement of its terms of service, related to content policies and assessing the risk posed by content management controversies,’ such as election interference, hate speech, and sexual harassment” (Norton).
These fund managers made solid suggestions, but there are questions that many investors should consider in evaluating these recommendations.
1) Why should we allow dual shares that protect leaders and diminish the role of shareholders and the Board? “Mr. Zuckerberg and insiders control over 60% of the voting rights, owing to Facebook’s dual share class structure” (Norton).
2) Both of these funds are examples of sustainable funds that market their investments within the framework of ESG (Environmental, Social, and Governance). The very nature of Facebook’s lack of social consciousness over the use of its data by political operatives, and the lack of governance over third-party contracts points to governance weakness, especially due diligence, at ESG funds that chose technology as one of their primary investment sectors.
Advertisers Realize that Facebook has a Unique Product
“Facebook was, for a time, exfiltrating massive amounts of data about its users to developers and data miners of every stripe.” Facebook allowed this data access, hoping to build a business-like Apple Inc.’s iPhone App store” (Mims).
Facebook and Google command 63% of the $83 billion digital-ad market in the U.S. Mobile advertising generated more than 86% of Facebook’s $40.7 billion total revenue in 2017” (Swartz).
P&G said it cut its digital-ad budget by $200MM last year. Digital-ads account for a third of P&G’s $7.1 billion ad budget” (Swartz). However, $200MM is only 2.8% of the budget so how impactful will the reduction be to Facebook or Google? I would argue as a P&G investor that their ads follow established brand loyalty and quality messages but are ineffective against cheaper store brands and innovative competitors that use digital ads more effectively. If you type “P&G” or “Proctor and Gamble” into the Apple Store or Google Play Store, you will see a few consumer apps for products like Pampers, Charmin or Tide laundry service amidst a host of other non-consumer apps. My recommendation for certain advertisers is look carefully at the value provided by Facebook versus subscription services or cross-product loyalty programs tied to consumers’ phone apps rather than providing ad content that Facebook can leverage with competitors on social media response data.
Blog Author Email: bphelan@riskdirector.com
LinkedIn Profile: http://www.linkedin.com/in/bob-phelan
References
Duan, Charles, and Weissmann, Shoshana. “How could Facebook Have Been So Careless?” The Wall Street Journal, 26 Mar. 2018.
Mims, Christopher. “Facebook Confronts Identity Crisis.” The Wall Street Journal, 21 Mar. 2018.
Norton, Leslie P. “Facebook Shareholders Force Data Privacy Vote.” Barron’s. 26 Mar. 2018
Seetharaman, Deepa. “Lax Data Policies Haunt Facebook.” The Wall Street Journal, 21 Mar. 2018.
Swartz, Jon. “Facebook under Seige”, Barron’s. 26 Mar. 2018
Tau, Byron. “Data Blowback Pummels Facebook.” The Wall Street Journal, 20 Mar. 2018.