When news broke that Cambridge Analytica illegally harvested the data of millions of Facebook users who interacted with the former company’s third-party app, the backlash was fierce.
The aftermath reveals lessons all companies can learn, regardless of the extent to which they use social media.
1. Delayed Acknowledgements of Wrongdoing Make Things Worse
One of the most significant concerns the public had about Facebook’s data privacy issue is the fact the social media giant knew about it for two years but didn’t do anything at that time to protect its users.
Accusations swirled, then, that Facebook would have ideally liked to have kept the problem concealed for good but lost that battle.
In his testimony before Congress earlier this April, Zuckerberg said:
Over the past few weeks, we’ve been working to understand exactly what happened with Cambridge Analytica and taking steps to make sure this doesn’t happen again. We took important actions to prevent this from happening again today four years ago, but we also made mistakes, there’s more to do, and we need to step up and do it.
Swift and decisive actions taken by companies at fault increase public confidence, especially since the old saying goes that the truth always comes out.
2. Third-Party Monitoring Is Essential
Cambridge Analytica took Facebook user data through an app modeled like a fun personality quiz.
The problem was, even people who didn’t directly interact with the app had their data compromised. The way the app worked involved grabbing data from all the people who used the app — plus those individuals’ friends.
Those analyzing Facebook’s privacy problem soon realized the social media site doesn’t do enough to determine what happened to data once it reached an outside entity like Cambridge Analytica.
In a post published on his profile — but not until five days after the news broke — Facebook’s Mark Zuckerberg admitted he was not sure how this fiasco happened.
The company stopped short of calling the incident a data breach, but noted it was not sure what information Cambridge Analytica accessed as a result of its app.
Those information gaps indicate that Facebook does not adequately police the data given to third-party companies.
If it wants to regain the public’s trust, Facebook must step up that practice and ensure data that originates at the social media site is not misused elsewhere.
3. Obtaining Proof Is a Necessary Step in Data Deletion Measures
Facebook found out Aleksandr Kogan, the creator of the offending Cambridge Analytica app, violated its policies but didn’t ban that person or the company at large until this year.
Even worse, Facebook had asked Cambridge Analytica to destroy the data it had but recently heard allegations that the company did not do as it had promised.
Kogan believes he did not do anything wrong, saying Facebook doesn’t have an enforced developer policy.
That suggests Facebook did not do enough to ensure Cambridge Analytica got rid of the data. Asking for nothing more than a verbal affirmation doesn’t give a company at fault sufficient motivation to comply with demands, nor does the lack of consequences for not following through with them.
Companies subjected to future privacy issues related to unauthorized data possessed by third-party companies can learn from Facebook’s blunder by requiring some form of verifiable proof that demonstrates the required action has occurred.
Also, they must let third-party organizations know they’ll be swiftly monitored for not doing as told.
4. User Privacy Should Be a Priority From the Start
In late March, Facebook redesigned its privacy settings to make them easier to access and understand.
The site also offers an Access Your Information section that lets people see data about themselves housed on the site. It gives users the option of deleting the material there, but doesn’t mention whether doing that takes it off Facebook’s servers or merely removes it from what the end user sees.
It’s crucial for other companies to look at Facebook’s example and realize the reactive approach isn’t preferable. Would the social media platform have focused on privacy if the scandal hadn’t happened? Probably not.
Ideally, businesses should always show, through words and actions, that they value consumer privacy as a rule, not a response intended to calm the backlash.
That means setting up initial all-encompassing and accessible privacy policies. Then, as things change, businesses should update privacy policies and call people’s attention to what’s changed since the last version.
5. Collecting Data From Nonusers Could Be Prohibitively Risky
As a way of showing their displeasure for how Facebook failed to safeguard their data, many users swore off the site and shut down their profiles.
However, when Zuckerberg testified in front of U.S. lawmakers, he disclosed that Facebook even collects data from nonusers, meaning that ceasing interactions with Facebook isn’t a guaranteed way to keep one’s data secure.
Zuckerberg asserted that Facebook uses the data from nonusers to stop people from malicious intentions from stealing publicly available content, such as profile names. Most people know they’re giving up some privacy by using the internet.
However, companies have a responsibility to be transparent about the data-collection practices for nonusers.
After Zuckerberg’s admission, people chimed in to say his explanation was too vague.
If other companies take data from individuals not using their sites, they must remain aware that the practice could prove more damaging than beneficial.
Facebook is surrounded by a social media-centric storm that shows little sign of easing.
On a positive note, at least other well-known businesses can learn from its mistakes.