TDWI | Training & Research | Business Intelligence, Analytics, Big Data, Data Warehousing

U.K. Parliamentary Committee Hammers Facebook on Digital Privacy

Facebook is on the hot seat again with another data privacy PR problem.

• By Dan Goldstein
• February 27, 2019

Almost a year after the Cambridge Analytica scandal broke, consumers are still concerned about their data privacy, and regulators are getting the message. Recently, a U.K. Parliamentary committee (the Digital, Culture, Media, and Sport Committee) released a report calling Facebook "digital gangsters." After an 18-month investigation, the Committee is calling on Parliament to begin regulating Facebook and other tech companies.

For Further Reading: Data Privacy and Security Still Big Consumer Concern One Year After Facebook Scandal Data Privacy: 3 Best Practices to Enact Now Privacy Laws Will Soon Be Inescapable

It remains to be seen whether Parliament will take up the mantle and promulgate legislation regulating the tech industry and its privacy practices, but one thing is sure, momentum is building both in the U.K. and in the U.S. for regulatory solutions to protect consumer data privacy. In the U.S., both federal and state lawmakers seem primed to legislate on this issue. Beyond that, there is a possibility that the FTC or another federal agency will step in and attempt to regulate tech-company data privacy practices even without new legislation.

Is Facebook Tone Deaf to Consumer Privacy Concerns?

Facebook has been at the center of the consumer data privacy issue since it was revealed that the social media giant had improperly shared the private data of 87 million people with Cambridge Analytica. That issue was front page news for days due to the connection to the 2016 U.S. Presidential campaign.

Then Mark Zuckerberg tried to defend Facebook's policies by testifying in front of U.S. and EU lawmakers to try to defuse the issue. Unfortunately for Facebook, Zuckerberg's "apology tour" was met with skepticism and then overwhelmed by a series of negative revelations that reinforced the view that Facebook didn't take user privacy seriously. Among the revelations:

• The departure of WhatsApp co-founder Jan Koum over Facebook's data privacy policies was soon followed by the departure of Instagram's founders who also had disagreements with Zuckerberg.


• FTC and other federal agencies are investigating the Cambridge Analytica and related data privacy scandals as well as the violation of an existing administrative order. It now appears that Facebook will be hit with a multi-billion dollar fine from the FTC as a result of that investigation.


• A complaint was filed by the U.S. Department of Housing and Urban Development claiming that Facebook had allowed businesses to engage in housing discrimination through Facebook targeting.


• Data sharing deals with device makers gave them access to private data of Facebook users who accessed Facebook through their phones.


• News stories reported that Facebook was asking major banking institutions to share account information when Facebook users accessed their bank accounts through Facebook's Messenger app.

Recent Legislation

Facebook's missteps have not gone unnoticed by legislators or regulators. The EU already enacted the General Data Protection Regulation (GDPR) and is beginning to enforce it. The GDPR is intended to protect the privacy rights of EU citizens. It has required a number of websites to update their privacy policies and take action to allow EU consumers greater control over their data. It also provides for significant financial penalties for violations.

In the U.S., California recently passed the California Consumer Privacy Act (CCPA). Although not as far reaching as the GDPR, this law also imposes significant limitations on companies subject to the law.

Regulation and Legislation is Coming

Now we see the potential for more data privacy regulation by both state and federal lawmakers and regulators. Recently, the General Accounting Office (GAO) released a report recommending comprehensive Internet privacy legislation. This will only add momentum to the push for a major federal privacy law. There is bipartisan support for such a GDPR-style bill -- both Senator Richard Blumenthal (D-CT) and Senator Jerry Moran (R-KS) support it in concept -- but disagreement remains about the extent to which it will allow for civil penalties and whether it will preempt state laws such as the CCPA. In addition, the chairman of the Senate Commerce Committee, Senator John Thune (R-SD), plans to invite tech and telecom executives to hearings about data privacy legislation.

Regardless of whether or not Congress enacts consumer privacy legislation, it seems certain that a large number of states will follow California's lead and enact legislation to protect the privacy rights of their citizens. A white paper by the law firm of Wilmer Hale lists all of the states that are considering privacy legislation in the wake of the recent privacy breaches, the GDPR, and the CCPA. Most are modeled after the CCPA, but if multiple states pass individual privacy statutes with specific restrictions and consumer privacy rights, it is likely to cause significant harm to many businesses that use the Internet to market and sell their services and products.

The obvious risk with all of this proposed legislation is that it will result in a patchwork of regulations that apply to different businesses and online marketers depending on their size, location, target customers, and nature of their businesses. Some states may exempt small businesses based on revenue (the CCPA doesn't apply to most businesses with revenue under $25,000,000 per year) and others may regulate businesses based on the number of consumers with respect to which they buy or sell personal information. (The CCPA also uses this as a criteria to determine whether a business is subject to its requirements.)

If different states regulate different businesses and enact different standards and requirements, it may become a compliance nightmare for businesses that operate in multiple states.

In addition to the data privacy laws applicable to other businesses and tech companies, according to the National Conference of State Legislatures, in 2018 close to half the states were considering legislation to restrict how Internet service providers can collect or share consumer data.

Given the potential for business disruption and consumer confusion, the best approach would be comprehensive federal legislation that preempts state consumer data privacy legislation. The key will be walking the fine line between protecting consumers without overly burdening businesses with disruptive regulation.