All the makings of a firestorm between Facebook and the State of California are starting to fall into place, according to data protection experts.
Jim Barkdoll, CEO of data classification company Titus, recently wrote an article for Security Infowatch in which he claimed that Facebook is taking aim at California’s new Consumer Privacy Act (CCPA) by unabashedly arguing that data privacy isn’t a priority.
“Specifically, there’s the argument that its web tracker, Pixel, should be exempt from some of the more stringent CCPA protections around selling data,” Barkdoll says. Facebook gives business free use of its Pixel code to track user interaction and, in turn, enables them to purchase ads based on the information they’ve collected via Pixel.
Barkdoll -- and other privacy savants -- contend that Facebook is trying to get around CCPA’s edicts by citing an exemption that allows it to claim “service provider” status.
“Essentially, Facebook’s stance is that the provision doesn’t apply to its web tracking services (Pixel) to advertisers because the company is a ‘service provider’ that is sharing data with advertisers free of charge as necessary for the purposes of its business and is thus exempt,” was how Attila Tomaschek, a data privacy advocate at ProPrivacy.com, bottom-lined it for ConsumerAffairs.
“Facebook’s argument undercuts the company’s numerous promises that it places great importance on keeping user data protected,” Barkdoll insists. Pointing to the essence of CCPA and Europe’s General Data Protection Regulation (GDPR), Barkdoll says Facebook is doing nothing less than thumbing its nose at those laws.
“These laws call for enterprises to be more transparent about how they share and market user data, but the laws also are aimed at ensuring enterprises stringently protect user data from the moment it enters their possession. Failure to do so can result in significant financial repercussions in addition to reputation damage that can take years to repair,” he said.
Facebook says critics have it wrong
The theories of Barkdoll and Tomaschek caught ConsumerAffairs’ attention, primarily because if anyone from Big Tech -- Facebook, Google, Amazon, Microsoft, Apple, et al -- can get regulators to back down regarding their use of consumers’ data, the proverbial you-know-what could roll downhill.
In response to Barkdoll’s piece, Facebook said that it was standing firm with CCPA and was in sync with the law.
“There’s a misperception that Facebook doesn’t think CCPA applies to us. It does,” a Facebook spokesperson told ConsumerAffairs, pointing to a company newsroom post about CCPA. In that post, the company says its position vis á vis CCPA is this:
We delivered a supplemental notice to California residents that provides clear information about the data we collect, how we use it, how we process data, and how people can exercise their rights under the law.
We issued updated State-Specific Terms, which apply when advertisers use our tools. With these, we’ve contractually committed to only use data for California residents that we receive from our partners for business purposes, like showing an ad or preventing fraud, as CCPA outlines for a service provider.”
“As with any law that applies to us and our partners, we aim to be fully compliant. In the case of CCPA, we’ve designed our systems to be consistent with the law’s emphasis on transparency and control.”
Facebook’s “service provider” argument
As ConsumerAffairs continued to dig, it became quickly apparent that the crux of the issue is how the “sale” (of personal information) and “service provider” are defined under CCPA.
As the National Law Review sees it, “‘personal information’ is defined expansively to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household.”
What Facebook is banking on is CCPA’s caveat that personal information “does not include de-identified or aggregate consumer information.”
When you look at the way the clause is written, Facebook’s argument holds water for the simple fact that the company does not sell an individual person’s data. Still, pundits think the company’s leverage of the service provider angle is a weak rationalization -- just another company that “essentially acts as a middleman delivering anonymized data to clients,” says CPO Magazine’s Scott Ikeda.
“Facebook's claim that they are a ‘service provider’ ... is unlikely to be a winner in court,” was data privacy attorney James J. Ward’s take on the matter. “Moreover, because Facebook uses the data it collects for its own purposes, it's hard to argue that it is merely a conduit for data, particularly because it is Facebook's use of the data to provide audience segmentation advice to third parties that creates the very profits that CCPA says are a trigger for the law's application.”
What Facebook wants and what it sells are two different things
While consumers might think that Facebook is breaking down their information into specific segments and selling that information, Ward says that it isn’t the case.
“Facebook never sells its data about an individual user, because once that data leaves Facebook's ecosystem, no one will ever have to buy ad space from Facebook for that user again. It's why Facebook's revenues are so high: they are the best source of data on users -- in some ways, they're better than Google -- but they never give away the golden goose,” Ward said.
And the same is true for other Big Tech companies.
“Many people care more about keeping their email address or home address private than they care about a company knowing what they’ve purchased from Amazon or via Facebook or eBay – but search and shopping information is much more desirable to companies that buy, package and sell personally-identifying information,” Heidi Tandy, Partner at Berger Singerman, told ConsumerAffairs.
So, if Amazon, eBay, and Facebook can’t use something like Pixel to follow a consumer around, is that all-she-wrote?
“Now we see why the Pixel risk is so high for them under CCPA. If PIxels are under attack (and they are, both in CCPA and in the EU's upcoming ePrivacy Regulation) Facebook's business model is at risk. That's why they're taking this position which, frankly, is a stretch,” Ward said.
An expensive proposition
Getting in lockstep with CCPA could be expensive -- not just for Facebook, but for the entire gamut of companies that handle personal data.
“Privacy compliance can be costly, especially for businesses that deal in large quantities of data and don't have the right kind of regulatory compliance regimes, data architectures, and oversight in place,” Ward said.
“Facebook *does* have a huge regulatory compliance team, but they also are going out of their way to recharacterize their entire business model in order to avoid the costs that CCPA imposes.”
Is Facebook putting privacy where its mouth is?
Facebook talks the talk by promising to give consumers more control over their privacy, but experts say there’s no real evidence that it’s walking the walk.
“Despite having policies on data collection and privacy available online, consumers hardly feel that they're in control of their personal data online, especially in the wake of (events like the Cambridge Analytica hack),” Dan Drapeau, Head of Technology at Blue Fountain Media, told ConsumerAffairs.
“With the revenue models of some of the social media companies and their stance on the rules, there will be many battles ahead with regulators. Unfortunately, consumers fall in the middle of all of this.”
Going into 2019, Facebook’s chief, Mark Zuckerberg, admitted that addressing the company’s privacy issues was more than a one-year challenge. Nonetheless, Tomaschek says the world should have seen at least something by now.
“We haven’t seen much of anything from his company ... that would lead us to believe any amount of progress was being made,” he told ConsumerAffairs.
“Quite the contrary, in fact, as Facebook continues to operate in a way that suggests the social media giant treats user privacy not as a priority, but rather as more of a nuisance that requires deft circumvention in order to indulge the best interests of the company over those of the user.”
Giving Facebook the right to defend itself
To make sure that Facebook had a chance to prove it’s making good on its privacy promise, ConsumerAffairs offered the company the space to tell readers how a consumer knows that the company is talking the talk AND walking the walk. Here’s what they had to say:
“First and foremost, getting data privacy and security right is fundamental to our business. We are invested in making people’s experience on Facebook more private, and we continue to develop new ways to honor people’s privacy by providing greater transparency and controls.
In addition, we’ve revamped our privacy settings, consolidating, simplifying, and making them easier for consumers to use. We offer access to this information through a number of tools like Access Your Information, Download Your Information, Why Am I Seeing This, or Ad Preferences. But, we’re not stopping there; we continuously review and refine these tools. For example, we recently rebuilt and relaunched our access, download tools and and privacy checkup tools.
At the company level, we’ve made major investments across engineering, legal and policy to build cross-functional teams dedicated to making it even easier for people to understand, see, and control the information we have for them. And we frequently post updates on our Newsroom so people and media are informed about the progress we’re making. Have you seen this post from Mark about starting the decade by giving you more control over your privacy, our Privacy Matters series or our proactive work on important privacy principles like data portability?”
Consumers are already lining up with CCPA questions
Until CCPA shows how it will parse out the finer points of a consumer’s private data, people are already raising their hands and asking if the new law will pertain to something they encountered as a consumer. Sara H. Jodka, a cybersecurity and data privacy attorney at Dickinson Wright, told ConsumerAffairs that she has already fielded two consumers' concerns on CCPA.
“Both were direct inquiries to me from consumers who wanted to know if the (Privacy Act) afforded them certain protections about their data. The first was a man who wanted to use the data access protections under the CCPA to obtain all of his information from a number of companies, including Google as, apparently, he had been banned from using their services and felt it was discrimination.”
Jodka said the other complaint that cited CCPA was from a woman who received a sample of Similac baby formula, even though she had not ordered it. The implication was that this was possibly a result of her personal information being leveraged so the company could directly market to her.
"I think we will continue to see this trend from consumers in attempting to use the CCPA to learn more about data collection and use from companies. A lot of consumers (and companies for that matter) are still confused about what the law actually provides and does not provide for, consumers have their interests piqued at a level I have not seen before and it is this interest that will drive lawsuits and, eventually, settlements and damages using the CCPA (and potentially other privacy laws) as the driving force,” Jodka concluded.
Brands stepping up on consumers’ behalf
The just-released Braze report on data privacy shows that an overwhelming number of adults (84 percent) have decided against engaging with a company because it needed too much of their personal info. Sadly, staring down the consumer on the opposing side is a vast number of marketing executives (83 percent) who disagree, saying that there is no need to protect the privacy of consumers beyond what’s required by law.
“Brands have a responsibility to protect their consumers' personal data,” Jon Hyman, Co-Founder & CTO, Braze, commented to ConsumerAffairs. “And with the increase of data privacy regulations, this has rightfully become an important focus for most businesses."
While the world waits for California’s privacy law to take effect and for other states to join in, some businesses are starting to step up in defense of consumers instead of standing idly by and waiting for the other shoe to drop.
“Brands are already making big moves to show their dedication to privacy, and it’s paying off,” Daniel Barber, the CEO of Datagrail.io, told ConsumerAffairs.
“Those that proactively update preferences and consent will end up with a more loyal customer-base,” Barber said -- a point FullContact President Chris Harrison doubled-down on.
“In the meantime, companies collecting data that are clear and transparent will be in the best position with consumers and prepared for whatever Federal regulations are finally enacted,” the executive said.
Do consumers have a right to complain about privacy?
If a company like Facebook is giving its service away for free and consumers know that means a quid pro quo tradeoff for their data and are willing to allow that, is that a problem? Should the government get in the middle? Giving readers something to chew on, Tandy reminded ConsumerAffairs that the relationship between Facebook and its users may not be clear-cut.
“The cliché is that if the service is free, then you’re the product. But most people don’t have all the information they need to make reasonable choices about whether they want to give up personal information in exchange for access to content, discounts, targeted ads or information, or even updates from friends and family.”
In Tandy’s mind, companies like Facebook go to great lengths to shield consumer data from hacking by other businesses or countries because they value that information as their resource, their virtual property.
“When consumers don’t realize how valuable their personal information is, they share it by looking at products, ads, news, and personal updates via sites like Facebook and Instagram. Facebook shares, barter and sells the information it collects about its users; the CCPA doesn’t bar them from doing so, as long as they put their users on notice that information is being collected and shared with third parties,” she said.
Are consumers and U.S. officials prepared to pay the price?
Everyone wants more privacy, but has everyone thought about how much it will cost?
The Information Technology and Innovation Foundation spreadsheet shows that if federal regulators decided they like what California or Europe is doing and wanted to mirror it across the country, it could cost the U.S. economy about $122 billion per year -- or $483 per U.S. adult.
On top of that, the Foundation figures that the time it would take consumers to tell a platform what personal data it can and cannot use would result in 9.2 million wasted hours worth $128 million each month.
“Before policymakers in the United States create federal privacy rules, or continue to allow states to create a patchwork of different regulations, they need to have an understanding of the costs involved in such rules,” the Foundation’s Alan McQuinn and Daniel Castro said.
They go on to say that “boiling the ocean” with overly restrictive rules could have a giant rippling effect on things we take for granted -- for example, relevant advertising. If ad agencies could no longer use personal data as a way to pitch specific products to the most likely consumers, it could result in an annual loss of $33 billion to brands and businesses.
“Maximizing consumer welfare requires accounting for costs, because expensive rules increase prices (or reduce free access to products and services) and hinder the development of improved products and services,” McQuinn and Castro said. “Federal data privacy legislation should not be a hidden tax on consumers.”
Where will this end?
It’s clear that more must be done to maintain and protect the privacy of consumers. Privacy shouldn’t be an afterthought or a box that’s checked. Privacy and consumer protection should be at the root of all online engagements. While some companies will offer CCPA-style protections to all U.S. users, one could argue that there should be a national law that protects everyone, no matter how big a company is or where it is.
The privacy showdown at the Not So OK Corral is coming. Study after study lays bare that the level of trust between the consumer and the digital world is anything but good.
“Consumers have lost control over how personal information is collected and used by companies,” is how Dynata’s Jackie Lorch described the situation while reflecting on her company’s latest Global Trends survey.
If CCPA, GDPR, and any other pro-public privacy standards are given their due and the privacy pendulum starts swinging back toward the consumer, the internet of things could return to a healthy, trusted part of our daily lives instead of something we’re always looking at over our shoulder.
“If we’re ever to collectively gain back our privacy amidst the pervasive climate of surveillance capitalism, legislation is absolutely crucial,” insists Startpage’s CEO Robert Beens. “We should all be rooting for CCPA to succeed and to change the conversation on the widest scale that it may eventually lead to a national law.”
However, getting to that point will take some patience. The California Attorney General’s office told ConsumerAffairs that we’ll have to wait until July 1, 2020, when CCPA kicks in, to see whether the practices of a specific company or business are consistent with its new law.
“I do expect this to be a substantial fight, because Facebook has a lot to lose,” Ward predicted. “But I also think that California courts and, especially, Xavier Bercerra, the California AG, will take this very seriously, and use it to try to bring Facebook to heel. We'll see.”