Earlier this year, the European Union’s GDPR regulation came into full enforcement. The law single-handedly transformed business practices both in the EU and internationally. GDPR dictates the proper collection and storage of EU consumers’ data and how enterprises can ask for users’ consent to use their data. They enforce these mandates with intimidating fines for failure, which enterprises including Uber experienced firsthand.
U.S. companies, in particular, struggled to prepare for and adapt to GDPR’s compliance rules. Whether due ignorance, neglect, or the overwhelming scale of changes some businesses needed to make, enterprises found themselves caught off-guard by GDPR’s enforcement. Many now look to the upcoming California Consumer Privacy Act with equal parts trepidation and dread as a result.
However, their fears may not encompass the whole picture. The recent scandals at Facebook have reinvigorated calls for a U.S. National Privacy Law on par with GDPR. Here’s a history of Facebook’s 2018, and what it could mean for enterprises in 2019:
What is Going On at Facebook?
The social media giant stumbled through 2018 with a reputation severely tarnished by continual data privacy scandals. In March, they came under fire for allowing Cambridge Analytica to harvest 87 million users’ data for political manipulation. In the fallout, their Chief Information Security Officer Alex Stamos left the company.
The disclosure of another data breach, this one affecting around 30 million users (originally project at 50 million) through a malware penetration, in October cast another shadow on the company. How much data the still-unidentified hackers stole through this breach remains unclear; evidence suggests the hackers first penetrated Facebook’s network in July 2017.
Compounding the severe damage to their reputation, just a few days ago Facebook disclosed the discovery of a bug allowing third parties access to users’ photos beyond the parameters of their consent. This privacy violation affects many as 6.8 million users.
Throughout all of these scandals and public relations nightmares, Facebook apologized and proclaimed their dedication to user privacy and improving their cybersecurity. Today, however, a new scandal undercut these apologies. In fact, it may open the door to the enactment of a U.S National Privacy Law.
The Latest Facebook Data Scandal
Today, Facebook announced via blog post it allowed tech companies—including Netflix, Spotify, Amazon, and Microsoft—to read users’ private messages. These companies could also write and delete private messages and see the names of users’ Facebook connections without their knowledge or consent. Many of the companies Facebook named in the post officially denied using this access or of any knowledge of this service.
Facebook officially closed these permissions in 2014. But according to the New York Times—who broke the story—Yahoo still had access to users’ streams as recently as Summer 2018. The social network also admitted it left the software components for this access service in place after the program officially shut down.
Facebook claimed in the blog post: “To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC (Federal Trade Commission).”
When is Enough Enough?
Not everyone is convinced, however. Dan Goldstein, President and Owner of Page 1 Solutions, shared some of his thoughts with Solutions Review.
“Facebook’s argument that these business partnerships didn’t require user consent because they were ‘functionally extensions of Facebook itself’ is absurd and more than a little troubling. The ability to offer special features unavailable to other advertisers is the definition of special treatment, and it should not give any of the parties involved the right to ride roughshod over the consumer,” said Goldstein.
Goldstein pointed out Facebook’s latest apology rings hollow after so many incidents: “Once again, the leaders are saying that Facebook will look inward and take action, but what’s really going to change when the company is seemingly willing to overlook its own policies for sweetheart deals worth who knows how much money?”
He added: “I wonder how much further Facebook can erode its credibility and goodwill before government regulation occurs. Some members of Congress are already calling for nationwide privacy laws. I don’t think this kind of heavy-handed intervention is the answer, but Facebook is not helping its case with the months of bad press and tepid apologies.”
A U.S. National Privacy Law?
Major publications like Wired were questioning the shape of regulation for Facebook as early as March. But the barrage of scandals from the social media platform renewed substantial calls for a U.S. National Privacy Law on par with GDPR.
Senators Chris Coons (D-Delaware) said to Fortune magazine in November: “If [Facebook doesn’t address its privacy issues], if they continue to act as if we couldn’t possibly deign to regulate them, they’ll get regulated and they’ll be unpleasantly surprised with how swiftly it may happen.” Senator Bob Corker (R-Tennessee) echoed those sentiments. And that was before the latest violations became public.
The question users have begun asking in Facebook’s wake is if they can trust corporations with their personal identifying information (PII). If Facebook, which until 2016 was perceived as a largely positive institution, cannot regulate themselves can any enterprise?
Given the outrage Facebook provoked, the federal government may have little choice but to enact a U.S. National Privacy Law. This would quell voters’ concerns and establish clear rules about how enterprises store and share PII. A U.S. National Privacy Law would also establish a consistent set of privacy rules for the social media era; currently, only piecemeal and inconsistent state regulations mandate how enterprises can handle their citizens’ information.
Moreover, evidence suggests a U.S. National Privacy Law would be wildly popular with the public. It is important to remember California passed their privacy law (in part) to prevent their voters from enacting a much harsher version by public referendum.
Facebook’s U.S. user base is shrinking rapidly; their stocks have significantly dropped in value throughout the year. All this points to one conclusion: consumers do care about their data privacy, and enterprises are suffering for their negligence. It is only a matter of time before the government follows their collective will.
Your enterprise should start exploring how it could handle the enactment of a U.S. National Data Privacy Law. Additionally, it should look at its own identity management to ensure it doesn’t suffer the same fate as Facebook.
It seems to be a matter of when, not if, such a U.S. National Data Privacy Law comes to pass in the states. For better or worse, preparation is the key.
Thanks to Dan Goldstein of Page 1 Solutions for his insights on the latest Facebook scandal.
Latest posts by Ben Canner (see all)
- What is Zero Trust Identity Security? How Can You Implement It? - March 19, 2019
- SecZetta: The Risks of Non-Employee Access [VIDEO] - March 15, 2019
- What Does the Future of IAM Hold for Businesses? - March 14, 2019