As we have all seen and heard, Facebook and their data protection issues have been in the news daily, with Mark Zuckerberg set to testify for two days this week in front of Congress after now-87 million users had their data compromised. This issue has a direct impact on Digital Marketing-focused businesses, but there is a lot of confusion. Here is our perspective on the matter and why this is critical for all of us.

Is this a data breach?

No. The data Facebook “released” was not technically a breach at the time, but instead initiated by users accepting terms of an app created by a 3rd party and shared with Cambridge Analytica. It was then an acceptable collection of data via the Facebook Terms and Conditions. Users technically signed off on this if not utilizing the establishing desired privacy controls, but we know there was little to no notification of this practice, especially sharing of all FB friends’ data, so Facebook is taking appropriate heat.

What could have been done?

Facebook determines the default privacy considerations and establishes what data can be shared with app providers. In the ad-supported business model, this is Gold. As such, it was encouraged, though users were given options to manually update their privacy controls to limit certain types of collection. Could Facebook have put in tighter controls, both in the default settings and well as data shared with companies? Yes. Could the data records and retention time period have been reduced? Yes. Should apps users have downloaded have the right to gain access to all usage data? Likely not, but that is a component of the established privacy policy.

Do users privacy settings matter?

Yes, Facebook manages to their privacy settings. However, in this case, the issue isn’t with the user’s privacy settings with Facebook but instead Facebook’s contractual relationships with their data-sharing partners. So, the client-facing regulations are “fine” but the further downstream use of data is unknown to the user.

What about PII?

In an ad-supported environment, much data sharing occurs but it is non-PII oriented, whereas this data leak included personally identifiable information.Facebook’s data privacy regulations are not illegal but highly questionable. Given the scope of this “data leak,” privacy considerations, and global attention, we expect that additional government regulations may follow.

Facebook’s removal of third-party data providers

As a response to this issue, Facebook recently announced they will remove all third-party data providers from their platforms. While this seems like a positive step, it actually buckets all data providers together and treats them all equally. There are many quality, trusted, and robust data partners that are now also being penalized. This move could “stop the bleeding” but eventually, we expect some portion of these providers will be invited back. While Facebook inherently has a significant amount of data, and with possible exception to Google or Tencent, the richest and broadest consumer data set in the world, Facebook still needs external data to refine their targeting capabilities. This removal of partners could negatively impact targeted advertising campaigns, which is something Marketers and their Agencies need to quickly understand any reduced capabilities.

Would a GDPR-type regulation have prevented this?

Facebook’s problems come at an interesting time, given the E.U.’s General Data Protection Regulation (GDPR) releasing 5/25. While GDPR wouldn’t have directly prevented this, it would have significantly improved their data regulation processes. There would have been a documented processes which specifically outlined how data could be utilized by Facebook as well as by their partners. GDPR creates financial and procedural liabilities for managing Facebook’s data as used by their partners and their partners relationships. Additionally, users would have been offered additional protections in their availing to share data and to be forgotten (as applicable). Moving forward Facebook will offer GDPR like protections to all users.

What preventative measures can be taken?

  • On a personal level:
    • Review your Facebook privacy settings.
    • Any apps that are connected utilizing Facebook logins can be disconnected and instead established with a unique login and custom password.
  • From a marketer’s perspective:
    • Ensure the company’s data policies are stated and up-to-date.
    • Identify and understand all data sharing relationships and what controls are in place. Is the data that is being collected necessary information to maintain in perpetuity?  What is the data retention policy and the timing where data records are deleted?
    • Confirm a GDPR assessment and plan have been established for audiences originating from the EU. IF the U.S. and other nations create similar regulations, are there concepts from GDPR that are being conducted globally as a preventative measure?


Please contact us if needing assistance with GDPR preparation and/or Facebook utilization guidance.