Will Facebook even exist in five years? The Cambridge Analytica data privacy scandal has now resulted in advertisers pulling ads from Facebook, companies eliminating Facebook log-in functions, consumers creating a #deletefacebook campaign and numerous lawsuits. The U.S. Federal Trade Commission (FTC), the U.K. Information Commissioner’s Office and a coalition of state Attorneys General have all launched investigations into Facebook’s privacy practices. Facebook’s stock price has dropped dramatically since the news broke. Can Facebook recover? Yes, but it will be difficult.
Facebook has three groups it needs to mollify right now: shareholders, policymakers, and of course, consumers. The company needs a coordinated strategy to address concerns from each. Facebook has already been attempting to stop the bleeding. CEO Mark Zuckerberg has embarked on an apology tour, speaking to various media outlets about Facebook’s responsibility to users. The company has also apologized in full-page ads in a number of newspapers, including the New York Times, the Washington Post and the Wall Street Journal.
When it comes to company shareholders, Facebook must make the case that it is merely facing a momentary setback. One way it could do this is by proving that the company can generate revenue outside of its traditional targeted advertising business model. A key concern for shareholders is that these privacy scandals will push policymakers to create new regulations that will curb the profitability of online advertising and other activity requiring user data. Facebook needs to prove either that such a scenario won’t happen, or that the company is strong enough and smart enough to survive it.
Facebook must also prove its case to policymakers. This is not the first time Facebook has been criticized for privacy violations. The FTC is investigating if Facebook violated a 2011 consent decree — after a previous privacy violation. Facebook needs to take concrete actions to prove that the company won’t simply promise, again, to do better and instead ignore the problem, as they have done before. Policymakers in the U.S. and the U.K. are calling on Facebook CEO Mark Zuckerberg to testify in front of government officials.
Facebook leaders must heed this call and take seriously all hearings and regulatory proceedings. Zuckerberg recently agreed to testify before Congress, which is a positive step forward. If Facebook fails to convince governments that it can be a responsible actor, policymakers will be more likely to enact new rules that severely restrict Facebook’s practices.
But above all, Facebook must win back its consumers. Facebook’s core business model depends on advertising and user data. Without a strong, engaged user base, the business will fail, and the company will face the wrath of its shareholders. User mistrust will also have political consequences for Facebook, as policymakers may attempt to win points with angry constituents by enacting stricter laws to reign in the social media company. Widespread consumer anger could also lead regulators to investigate and enforce judgments against the company more harshly and influence policymakers to enact stricter laws to reign in Facebook.
More than anything, Facebook must find a way to persuade consumers that the company will protect user privacy. This means Facebook must change its internal policies on privacy and product development. Privacy by Design should be a core value, company-wide. Every single employee at Facebook needs to understand why and how to protect privacy. Facebook should also consider simply collecting less data, storing data for shorter time periods and limiting how data is transferred to third parties. From a public relations standpoint, the benefits of changing how much and what kinds of data the company collects may outweigh the costs of not being able to use that data for advertising and behavioral analysis.
Much of the change that needs to happen at Facebook needs to happen from within. However, Facebook also needs to make visible, public changes to signal to consumers that they are taking privacy seriously. Facebook should (and are already starting to) make material changes to their website and mobile app, for example, to show consumers that the company is working on protecting privacy more effectively. (Personally, I would love to see the return of the Facebook "privacy dinosaur," the friendly dinosaur icon the company once used to introduce users to privacy settings and explain privacy policies.) Facebook should announce any changes publicly, as a show of good faith. Publicly partnering with nonprofit organizations that focus on privacy would also be a smart way to cultivate trust, as would publicizing the fact that the company does have a robust privacy management team. Public statements should not only appear in newspapers, but also in notifications sent directly to user home pages.
While the failures at Facebook have taken center stage currently, this crisis is about more than just one social media platform.
If other companies want to avoid collateral damage, they should use this a teachable moment and evaluate their own privacy policies. The tech industry has recently faced increased regulatory scrutiny, particularly after the Senate tech hearings in the fall of 2017. Of course, given the cutthroat nature of Silicon Valley, it’s possible that other start-ups will try to argue that this is an isolated incident and that Facebook acted alone. This could help other companies gain competitive advantages. (“After you delete Facebook, maybe try Google Plus?”)
But it’s unclear how effective that message will be with consumers in the long-term. The attention span of tech users is short, and scandals are plentiful. Remember #DeleteUber? And on the other hand, scapegoating Facebook could put added pressure on policymakers to create new and stricter legislation, with industry-wide implications.
Regardless, all tech companies must use this opportunity to make sure their own products and services are not vulnerable to privacy deficiencies. Just today, Under Armour announced that the fitness app accounts of as many as 150 million users had been compromised in a huge data breach. Consumers will be even less forgiving the second time around. This is especially important for companies that rely on data-driven advertising. After this scandal, both consumers and regulators will be much less inclined to give companies the benefit of the doubt.
Like Facebook, the tech industry needs to prove that they deserve consumer trust. Companies must prove they can and will protect user privacy. Facebook may yet survive this disaster of its own making, but it’s unlikely to do so unscathed. And if other internet companies do not take advantage of this moment, they too may soon encounter the same kind of public backlash and regulatory scrutiny Facebook is currently facing.
Tiffany Li is an attorney and resident fellow at Yale Law School's Information Society Project. She is also a Fellow of Information Privacy and Advisory Board Member for the International Association of Privacy Professionals. Follow her on Twitter @tiffanycli.