Balancing user privacy with the desire of advertisers to collect insightful user data is a challenge Facebook has faced since its inception. As evidenced by the company’s recent affirmation of its ad-driven business model, Facebook has no plans to alter its basic value proposition. However, recent industry events have once again brought the conflict between user privacy and advertiser demands to the attention of regulators in the US and in Europe.
By way of background, less than a year before its IPO, Facebook signed a consent decree with the US FTC, under which it agreed to settle charges without admitting or denying guilt that it had deceived consumers by telling them they could keep information private, but then sharing it repeatedly. In signing the consent decree, Facebook agreed that it must obtain consumers’ express consent before their information is shared beyond the privacy settings they create. As part of the settlement, Facebook agreed to audits conducted by independent third parties once every two years for the next 20 years to verify that its security procedures exceed the standards set by the FTC. The FTC is currently investigating whether Facebook has violated the consent decree, which could result in penalties of up to $40,000 per user per day.
Facebook maintains that the data harvested by a third party app utilized by the consultancy Cambridge Analytica was obtained and applied in violation of its policies, specifically procedures put in place in 2014 to prevent so-called “abusive apps” from gaining unauthorized data from Facebook users. The Cambridge Analytica imbroglio is particularly significant, in light of new privacy regulations that are being imposed by the European Union under the General Data Protection Regulation (GDPR), which goes into effect later this week. Under the new regulation, advertisers must be transparent about their use of customer data, and users must give their expressed consent to allow advertisers or other third parties to utilize their data. In response, Facebook and other internet advertisers are working to comply with European regulators, who could impose penalties of up to 20 million Euros, or up to four percent of annual revenue, whichever is greater. In the case of Facebook, a violation could result in a penalty of up to $1.6 billion.
The initial GDPR impact on Facebook is likely to be a decline in the rate of growth in its European user base, which currently stands at 282 million daily active users, or 19 percent of its user base. Beyond that, the impact is unclear. One school of thought suggests that Facebook could face declines in advertising revenue, based on a lower base of users reachable by advertisers. The counter argument is that users who give their consent will be more susceptible and receptive to ads that they are implicitly agreeing to view, thus making the remaining base of users even more valuable to advertisers.
In the mean-time Facebook is redoubling efforts to root out third party apps that violate its data privacy rules. Facebook has stated that it has more than 10,000 people working on security and safety issues now, with plans to double this number by the end of this year. Last week Facebook announced that it has already examined thousands of third party apps, and has suspended about 200, pending a thorough investigation into whether the apps misused user data. Any of the apps in question that are found to be in violation of Facebook’s policies will be banned from Facebook, and users of the app will be notified.
The recent Cambridge Analytica imbroglio, combined with the rollout of GDPR is likely to keep the spotlight on Facebook and other internet advertisers. By taking more proactive measures to ensure user privacy Facebook is likely to navigate the conflicting demands placed upon it by users, advertisers, and regulators.