What Happened at Facebook?

Lessons From The Giant

While not every organization is a nearly 2 billion user, social media giant like Facebook, there’s a lesson to be learned for all organizations from recent events: in today’s data-driven business environment, customer trust matters more than ever before. In this article, Gartner’s Stephanie Quaranta outlines steps privacy and compliance executives need to take in order to protect the value of their customer relationships and ultimately minimize their company’s exposure to privacy risk.

By now, the saga of Facebook and Cambridge Analytica is familiar to us all. In 2013, University of Cambridge researcher Aleksandr Kogan collected personal data from 270,000 Facebook users through a personality test app called “thisisyourdigitallife.” At the time, Facebook’s policies allowed app developers to collect data not just from users who had explicitly consented, but from those users’ friends as well. Kogan assigned test takers and their friends to psychographic segments using the collected data, then sold that information to a political consulting firm called Cambridge Analytica.

Though Facebook discovered this at the end of 2015, it chose not to alert impacted users. Instead, Facebook simply asked Cambridge Analytica to delete the data. Only in March of this year, after an exposè by The New York Times and The Observer of London reported on the data harvesting and Cambridge Analytica’s use of that information to micro-target voters in advance of the 2016 Brexit vote and US presidential election, did Facebook go public with what had happened.

The immediate backlash was fierce. Facebook stock plummeted 18% in 11 days, wiping out $80 billion in value. The hashtag #deletefacebook emerged, with Google searches on how to delete your profile more than quadrupling in the week the scandal broke. Regulators and lawmakers across the globe opened investigations into Facebook’s privacy practices.

Customer Trust at Stake

But here’s where things get really bad for Facebook, and where companies in every industry have a lesson to learn: in the wake of the scandal, 61% of Facebook users said they have “not much” or “no” trust in Facebook. By not being crystal clear in their user agreement, by implementing a policy that was clearly too far ahead of what the users were comfortable with, and by not disclosing the problem when they first discovered it, Facebook has consumed whatever stockpile of user goodwill it once possessed. And while the company’s stock took less than 8 weeks to return to its pre-scandal value, and ultimately only about 9% of users actually did #deletefacebook since the scandal broke, this loss of customer trust is potentially the most devastating to the business.

How so? First and foremost, there are real and immediate costs to losing customer trust. Organizations spent a total of $50 billion on data and analytics in 2016. With the EU’s General Data Protection Regulation (GDPR) now in force, if even one-third of those customers chose to exercise their right to be forgotten, it would cost those organizations a total of $17 billion.

Thinking more long-term, Facebook generates its revenue through advertisement sales, and what makes Facebook a valuable platform for those advertisers is the wealth of data it collects from user activity and profiles that can be used to target their messages. But what happens if Facebook’s users no longer trust the platform to protect that data and use it appropriately? We know that 79% of consumers say they would be unlikely to share data with a company they do not trust. So while people may not be deleting Facebook profiles, they are likely thinking twice before they like a post or RSVP to an event. Users sharing less information is a fundamental threat to Facebook’s data-driven strategy.

And that’s where you come in. More than anything else, the Facebook scandal has demonstrated the value of customer trust and transparency to today’s organizations. You may not operate on an ad-revenue model, but it’s not only social media giants and tech companies that rely on customer data for success. In today’s digital environment, every industry from insurance to retail is increasingly reliant on customer data to underpin major business decisions. Transparency also is not just a Facebook problem– a full 70% of customers generally believe that companies are not transparent about the way their data is being used. Only 9% believe they have “a lot of control” over the information that is collected about them.

Action Items for Privacy and Compliance

What can privacy and compliance executives do to fix this? Start by facilitating a conversation with your board or senior leadership team to uncover any gaps at your organization. Consider the following key questions:

1. How heavily does our business model depend on the use of high-risk data? Outline which parts of the business are collecting more or more types of information, providing broader access to employees or third parties, or relying on the information in different ways to make decisions.
2. Does your business strategy document and subsequently manage the potential privacy risks it creates? Ensure your leadership team feels equipped to explicitly account for privacy risks as they set strategy and make decisions by understanding what creates risk and how it can be managed.
3. How effective are the controls we put in place to manage our privacy risks, especially those in our highest-risk areas? Discuss whether and how existing controls can maintain effectiveness in a dynamic privacy risk environment, and ensure there is a plan in place to audit and test them regularly.
4. Do we understand our customers’ expectations and level of comfort with respect to how we manage their data? As the legal and regulatory environment lags behind the pace of innovation, the question becomes “should we do this?” rather than “can we do this?” Brainstorm ways to source customer input into your overall data strategy.
5. Are we being as transparent as possible with our customers in communicating how we use their data? Ten pages of legal jargon that customers consented to once five years ago is not transparency. Check that your customer-facing policies are accessible and intelligible, and make a plan for communicating them frequently.
6. What is our third-party strategy? Conduct an exercise to understand how third parties are being used across the company and set guardrails to ensure the third-party strategy is in line with the overall risk appetite.
7. How effectively are we monitoring ongoing third-party compliance with our standards? Your third-party standards are only as effective as the amount of oversight you dedicate to them; make sure your leaders have processes in place for ongoing monitoring.

Privacy and compliance executives have a big role to play in ensuring continued access to what has for many companies become their most valuable asset—customer data. Put your company on the right path by ensuring your data practices foster a strong and long-lasting relationship with your customers.