Native (Edge) advertising practices conducted by Facebook are considered legal in every area of the marketplace. How would things change if existing privacy law was actively enforced?
By Sheila Dean
One of the most remarkable questions posed to Facebook, CEO, Mark Zuckerberg went to whether he, John Tester, personal data owner, could cash in on residuals from Facebook’s licensing tributaries, if he owns it. Zuckerberg replied with a refrain similar to, "Senator...It's your data. You control it." [Or more likely Facebook controls it because Tester submitted AGREE to the EULA.]
It ain’t exactly so, Facebook, or you would not be in front of a US Congress disciplinary hearing, required due to your enmeshed relationships with political machinery, US federal law enforcement, foreign and national intelligence business partners, as well as data service brokers. The simple fact is, it has been really easy to cut the consumer out of the personal data brokering business process, based on one-sided contracts Silicon Valley issues to the Internet public.
I’ll give you an example of how a normative public IP would be handled in a licensing exchange. Every time you turn on the TV or radio you may hear a familiar song from a recording artist you know and love. The recording company brokers a licensing deal to use the song, to air on broadcast stations or for general use by DJ’s in a local club. Stations and clubs pay a flat fee once a year based on their market reach. If a station picks up the song, the licensing from ASCAP and BMI reporting kicks in. Residuals are paid to whomever has ownership rights to the song, usually part recording company and part artist. The artist gets a statement from ASCAP or BMI exchanges, indicating who paid to use their song as public material.
Personal data, such as biometrics or health data, is private information. However, depending on the scope of diffusion of the information and who has it, it is as if it were broadcasted. The public airing of private information annuls privacy. That act is considered a crime in most of the modern world. In backwoods 3rd world areas, those kinds of disclosures can get you killed.
FOR THE REGULATORS
Facebook has avoided alienating the user by never disclosing which entities, or how many, licensed their personal information. Regulators could solve this transparency problem by requiring companies and non-profits, who broker personal data, to provide disclosure report statements. This would be routine accounting of who has bought aspects of their personal information, how much it was sold for, when it was sold etc., to the individual data owner, like a monthly licensing statement.
In order to temper the problem area of publicising private information, Facebook’s regulators need to clearly limit the sale-scope range of existing classifications of private data, issuing toothsome rules of enforcement for the DOJ. Child data, health data and financial information are all heavily protected under existing US privacy law. If data brokers comply or conform with existing law, they will not be selling or trading in this type of data without certain explicit consent and cease collection of it as risk mitigation process. US privacy law must be enforced by an agency who can actively impose jail time and stiff financial penalties, not merely audit and witness further crimes by a company, thereby enabling a corrupt or negligent business process. Companies and non-profits will continue to break privacy law with no effect unless there is adequate enforcement. Tougher enforcement needs to be enacted as individual privacy is impacted.
FOR COMPANY
There are also a few things Facebook could do on their own to mitigate license breach of contract and global conflicts of interest.
1) Develop a paid model for people who want to keep their data private. If users have been reluctantly abiding with a generalized license exchanging personal information for site use, offer a paid model as an alternative. The people who want to keep their data out of data brokerage markets will have a different contract, paying a flat fee for Platform-As-A-Service. The new contract would explicitly state users exclude their information from their data brokerage markets. New users will still be able to use the free model exchange.
2) Comply with existing privacy law in all of your business process. Don’t sell and/or limit collection of classes of health information, child information, financial information, and other forms of sensitive and protected personal data. Securely dispose of old personal data which can make you liable. Comply with existing demands for lawful compliance over personal data. GDPR will be a very good exercise in conformance. Don’t wait to enlist more staff and consultants to help.
3) Issue weekly statements of data exchange to all freemium account users, including those who comport 3rd party applications as a condition of continued business. Users need to know who has their information and who is in the market for their information so they can control who has their data. For example, if the user/account holder/data owner wants to pull out of a 1st party company business line or 3rd party exchange for their data, based on their race and ethnicity, allow 7-10 business days for consent reporting as part of the new EULA. If you would like it sooner, issue UX prompts, like hourly push notices, while the user is logged in. Code the consent scripts with clear markers so they can market their data appropriately.
4) If a user deactivates their account, cease license of their data and schedule their data for disposal. This should also apply to 3rd party applications who had previous permissions for data use from the site.
5) Start accepting, recording and conveying consent notices concerning US government buyers. A proactive approach would disclose government requests for data buys to the consumer, just like other commercial buyers, by soliciting individual consent for the exchange. If a US constituent, verified by the site’s standards, submits their own privacy notice invoking the Privacy Act, to bar 3rd party information exchange to government actors present it to the government buyer. Save it to present it to government requestors who do not have a subpoena or fall into an exempt class of data collection for a specific government purpose. This keeps an audit trail for campaigns acting on behalf of incumbents and may prevent abuses of public office.
Facebook has a long road ahead. However, for every Facebook, there are thousands of smaller businesses on the freemium model looking toward them as examples of successful business behaviour. While Facebook is a successful company, their CEO appeared before Congress when everyone saw how they failed the public. Help yourself to a better example. If Facebook wants to BE that better example, their actions need to exceed our privacy expectations of baseline evasive legal compliance. Examine how competition can serve Internet users better through right choices and fair exchanges.