Obviously, all companies benefit by moving towards a better data privacy regime. As recognized by Mastercard’s Chief Privacy Officer: “Privacy and accountability are central to our data-driven innovation, and have become key differentiators for our brand. This research reinforces the fact that privacy is a critical investment for forward-looking companies.”
In one of the first studies to estimate privacy returns for companies on a global scale, Cisco’s 2020 Data Privacy Benchmark Study assessed the benefits companies see in areas such as “operational efficiency, fewer and less costly data breaches, reduced sales delays, [and] improved customer loyalty and trust”. More than 70% of those surveyed indicated they saw “significant” or “very significant” benefits in each of these areas based on their investments in data privacy initiatives. As for the actual quantification of these benefits, for every $1 of investment, the average company purportedly received $2.70 of benefit. For Microsoft, this monetary lift does not appear to drive its privacy epiphany.
Seeking to erase years of insecure Windows development contributing to countless data incidents, Microsoft’s newfound focus on data privacy the past five years originates from the very top. It’s privacy head recently testified before Congress exactly because she is a longstanding privacy steward now seeking Congressional help for consumers. Microsoft CEO Satya Nadella went one step further at the 2020 World Economic Forum in Davos by suggesting that consumers obtain compensation for their data: “Data that you contribute to the world has utility for you, utility for the business that may be giving you a service in return — and the world at large. How do we account for that surplus being created around data? And who is in control around giving those rights?” He recognized: “What if the consumer benefited from their data as well as advertisers? More work needs to be done around data dignity – and new business models in the 2020s.”
This is not to say Microsoft is now rushing to compensate consumers for the use of private data. Recently, it was uncovered that Microsoft built cancer algorithms using patient data obtained from Providence Health & Services in Renton, Washington. No report exists of Microsoft compensating patients for this use of their data. Nevertheless, when it comes to building the brightest path for data privacy there remains no other BigTech company suggesting that consumers be compensated for their data or promotes the use of a decentralized identity for consumers – the likely precursor to any viable “right of compensation” statutory scheme. When it comes time to finally do the right thing, Microsoft will apparently be leading the way to ensure it gets correctly done.
UPDATE: March 5, 2020
According to the Verge Tech Survey 2020: “Microsoft leads big tech companies in the number of Americans who say they trust it, at 75 percent of survey respondents. Amazon is close behind, at 73 percent. Pulling up the rear is Facebook: just 41 percent of Americans say they trust the company to safeguard their personal information.”
Class counsel alleged in the complaint that Facebook’s “Tag Suggestions” program – a now-terminated program that scanned for and identified people in uploaded photographs for purposes of photo tagging, improperly collected and stored biometric data without prior notice or consent in violation of the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq. Specifically, Section 15(b) of BIBA provides that biometric data may not be obtained without (1) written notice that biometric data is at issue, (2) written notice of why and for how long the data is being collected and stored, and (3) written consent from the subject.
Facebook sought dismissal arguing the lack of Article III standing necessary for all federal lawsuits – in essence, arguing that the mere technical violation of BIBA’s statutory notice and consent provisions did not actually cause any real harm to the plaintiffs. In rejecting that argument, the District Court, found that actual and concrete harm sufficiently existed to create Article III standing. Patel, supra, 290 F. Supp. 3d at 953 – 954 (“BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent. As the Illinois legislature found, these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers — identifiers that cannot be changed if compromised or misused. When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.”).
Even though this suit may still be dismissed on other grounds given the only argument that actually percolated all the way up to the Supreme Court was the standing issue, this was definitely Facebook’s strongest defense so it now faces likely exposure in the billions. A class comprised of seven million potential members with statutory damages based only on a single uploaded picture per person could yield damages of between $7 billion for a negligence finding and $35 billion for an intentional or reckless finding. In addition, this remains only one of several BIPA class actions against Facebook currently litigated around the federal judiciary. Despite its $5 billion mea culpa with the FTC, Facebook’s privacy exposures are certainly nowhere near its rear view mirror.
The Supreme Court may eventually take on a new privacy standing case but it will likely be a specific Google case that gets the nod – a case where the Supreme Court previously ruled: “Because there remain substantial questions about whether any of the named plaintiffs has standing to sue in light of our decision in Spokeo, Inc. v. Robins, 578 U. S. ___ (2016), we vacate the judgment of the Ninth Circuit and remand for further proceedings.” And, if this Google “referrer headers” case does not get the nod, as states continue to push the boundaries of privacy rights, the Supreme Court will certainly revisit its Spokeo decision to determine whether the violation of some future privacy law merits federal standing – especially when only a “trifle of injury” is alleged. Ultimately, the question that may be answered by the Court is whether the mere alleged violation of a law addressing digital privacy rights sufficiently constitutes an Article III injury. See Patel, supra, 932 F. 3d at 1273.
On September 13, 2019, the California Legislature adjourned with numerous CCPA amendments ready for the signature of Gov. Gavin Newsom. Two amendments that ultimately passed, AB 25 – which provides a one-year moratorium on CCPA’s application to employee, beneficiary and emergency contact information, and AB 1355 – a broad-ranging amendment to the law, are particularly helpful for business owners. Other changes to CCPA, including AB 1146, AB 874, and AB 1564 either do not alter in any material way the spirit or intent of the law or are redundant to changes found in AB 1355. There was also one proposed amendment – AB 846, that was withdrawn for consideration until next year but would have greatly enhanced the protections found in CCPA by creating a private right of action for notification and data usage failures.
Three of the changes found in AB 1355 are noteworthy given in some very real ways they chip away from the consumer-first thrust of CCPA. First, by modifying the definition of “personal information” to mean “reasonably capable of being associated with” a particular consumer or household, instead of just “capable of being [so] associated”, CCPA may get a reasonableness component that would give companies a strong new argument when defending a private action breach claim. Moreover, the AB 1355 amendments explicitly state that deidentified and aggregate information are exempt from CCPA – in effect, potentially giving social media platforms a sought-after CCPA safety hatch.
And finally, the AB 1355 Amendment states that the reasonableness of charging a different price or rate or providing a different level or quality of goods or services for the use of data should be measured in relation to the value of the personal information to the business and not to the consumer – as it was initially drafted. Given that most social media platforms and data brokers actually place very low values on specific consumer data, this change is of obvious great significance. Not surprising given the heavy lobbying, these and other changes actually benefit data merchants to the detriment of consumers.
On September 10, 2019, fifty-one CEOs wrote a letter to Congressional leaders asking them “to pass, as soon as possible, a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.” The signatories to this letter come from a broad range of industries, including retail (Walmart, Amazon, Target, Macy’s), banking (JPMorgan Chase, Bank of America, Citigroup), card brands (American Express, Visa, Mastercard), technology (Salesforce, SAP, SAS Institute, IBM, Dell, Qualcomm), as well as consumer goods and pharmaceutical (Bristol-Myers Squibb, Johnson & Johnson, Procter & Gamble), insurance (Chubb, New York Life Insurance, Principal, State Farm, USAA), and media-rich telecommunications (AT&T, Comcast).
Conspicuously absent from this list of companies are the two largest beneficiaries of Business Roundtable’s privacy initiative – Facebook and Google.
As set forth in their CEO letter: “Business Roundtable has released a Framework for Consumer Privacy Legislation (attached to this letter), which provides a detailed roadmap of issues that a federal consumer privacy law should address.” If one takes a look at this proposed Business Roundtable Framework, Facebook and Google’s sought-after end game comes better into focus – which is especially impressive given that neither company is even a current member of the Business Roundtable.
Business Roundtable’s Framework proposes that a new federal law “establish a national standard for breach notification that preempts state laws” and prevents the “state-by-state approach to regulating consumer privacy.” As well, the Business Roundtable Framework specifically also states that “[a] national consumer privacy law should not provide for a private right of action.”
Apparently, everything may fall into place for those who feast on consumer data. First, CCPA may have been weakened sufficiently to make 2020 not nearly the onerous compliance year most companies expected – especially since the tabling of AB 856 and its creation of a new right of action for breach of CCPA’s consumer notification and use provisions. Given California’s privacy statutes may very well end up being the model for a federal law, weakening CCPA before pushing for a federal law was the necessary initial step in this two-step dance.
While others may have publicly taken up their fight, Google and Facebook are smoking cigars in a dark backroom somewhere laughing at how brilliantly their plan may ultimately play out.
UPDATE: October 16,
Without any fanfare or even a mention on the California Governor’s website, Governor Newsom quietly signed into law all of the CCPA amendments put on his table, including AB 1355 which amends § 1798.140(o)(2) of the CCPA, to provide that personal information “does not include consumer information that is deidentified or aggregate consumer information” – making all social media platforms raise a toast to their victory, and amends Cal. Civ. Code § 1798.150(a)(1) of the CCPA to reaffirm that class-action lawsuits may be brought only for data breaches when personal information is “nonencrypted and nonredacted” and thereby shut out wide swaths of potential claims.
On July 24, 2019, the FTC filed its Stipulated Order requiring that Facebook comply with newly-imposed privacy requirements for a period of twenty years. The most noteworthy aspect of this Order, however, does not relate to the specifics of this compliance framework – which can easily be addressed with the right counsel. Rather, the requirement that is more challenging for Facebook is the one creating an “Independent Privacy Committee” within Facebook’s Board of Directors “consisting of Independent Directors, all of whom” have “(1) the ability to understand corporate compliance and accountability programs and to read and understand data protection and privacy policies and procedures, and (2) such other relevant privacy and compliance experience reasonably necessary to exercise his or her duties on the Independent Privacy Committee.”
Such specific requirements regarding the capabilities of a Board member are more than a bit unusual. Given the fiduciary responsibilities of Board members as well as the reputations of those willing to become members of this “Independent Privacy Committee”, this novel requirement may actually do something to curtail future privacy transgressions.
There is no doubt the FTC resolution was Facebook’s well-orchestrated attempt at rehabilitating its tattered reputation. As stated in Facebook’s blog response: “Billions of people around the world use our products to make their lives richer and to help their organizations thrive. That makes it especially important that the people who use our platform can trust that their information is protected. This agreement is an unambiguous commitment to do that.” Indeed, this agreement may even be marketed as a way of bolstering dwindling user engagement.
Using a tone that permeated for much of the hearing, Sen. John Kennedy ignored Facebook’s participation in a Swiss Association that purportedly leaves Facebook with little control over Libra and instead mocked: “Facebook wants to control the monetary supply. What could possibly go wrong?” Sen. Sherrod Brown (D-OH) reinforced this lack of trust when he said that Facebook was dangerous because it did not “respect the power of the technologies they are playing with, like a toddler who has gotten his hands on a book of matches, Facebook has burned down the house over and over, and called every arson a ‘learning experience.'”
On a more substantive side, the hearing was driven by a concern for privacy rights. As reported in The Wall Street Journal, Mr. Marcus suggested that Facebook would not monetize users’ data related to Libra because no financial or account data from the Libra network would be shared with Facebook: “We’ve heard loud and clear from people, they don’t want those two types of data streams connected.”
Even though it did not garner much public analysis, Chairman Crapo’s Statement provides an important privacy perspective that may also set the table for future legislative action: “Individuals are the rightful owners of their data. They should be granted a certain set of privacy rights, and the ability to protect those rights through informed consent, including full disclosure of the data that is being gathered and how it is being used.”
And, despite all of his protestations to the contrary, in his own prepared testimony, Mr. Marcus actually provides a rough roadmap detailing how the financial and transactional data obtained by Calibra could directly bolster Facebook’s data surveillance revenue.
Specifically, Mr. Marcus states: “The Calibra wallet will let users send Libra to almost anyone with a smartphone, similar to how they might send a text message, and at low-to-no cost. We expect that the Calibra wallet will ultimately be one of many services, and one of many digital wallets, available to consumers on the Libra network. We do not expect Calibra to make money at the outset, and Calibra customers’ account and financial information will not be shared with Facebook, Inc., and as a result cannot be used for ad targeting. Our first goal is to create utility and adoption, enabling people around the world— especially the unbanked and underbanked—to take part in the financial ecosystem. But we expect that the Calibra wallet will be immediately beneficial to Facebook more broadly because it will allow many of the 90 million small- and medium-sized businesses that use the Facebook platform to transact more directly with Facebook’s many users, which we hope will result in consumers and businesses using Facebook more. That increased usage is likely to yield greater advertising revenue for Facebook.”
To suggest that the mere ancillary use of Facebook’s platforms by Calibra users will alone cause an increase in advertising revenue makes little sense. The only way Calibra will yield greater “advertising revenue” to Facebook is directly related to the well-understood increase in value user data would have after alignment takes place between transaction data and the other data obtained from Facebook’s platforms and services. Indeed, advertisers have long recognized that personalization data is not nearly as useful as relevance data.
A long-term goal of Facebook’s Libra project, namely combining user data with associated financial and transactional data, should not be considered well-hidden. Mr. Marcus’ written testimony all but confirms Facebook will eventually harvest transactional and KYC data: “Calibra will not share customers’ account information or financial data with Facebook unless people agree to permit such sharing.” Indeed, Sen. Pat Toomey specifically asked Mr. Marcus whether Facebook intended to seek user consent to monetize Calibra-derived financial data and Mr. Marcus incredibly responded: “I can’t think of any reason right now for us to do this.” Really?
House Financial Services Committee Hearing of July 17, 2019
One major difference between the Senate hearing conducted on July 16, 2019 and the House Financial Services Committee hearing of July 17, 2019 was the sort of testimony provided by industry experts. Even though the Senate smartly sought testimony from Wall Street and blockchain industry expert Caitlin Long, unlike with the House, there were no one educating the Senate on Calibra’s privacy issues.
For example, MIT Professor Gary Gensler’s prepared House testimony lays out a number of questions regarding privacy that Facebook should answer at some point: “We know that many of the most intrusive privacy practices of concern to privacy regulators have actually been subject to some form of consumer consent. So, it will be essential to conduct a more thorough analysis of what uses of Libra data should be allowed and which uses should be prohibited. How would such restrictions be monitored and enforced? What are the limited exceptions and might Calibra broadly seek customer consent in the form of standard user agreements? It would be likely that Calibra would want to commercialize this data. At a minimum, without sharing the raw transaction data from customers’ Calibra Wallets, it would still likely analyze such data to earn money either through advertisements or by offering targeted services to wallet holders.”
As well, in the prepared written testimony of Robert Weissman, President of Public Citizen, there is a long discussion explaining why Facebook is a “Corporate Surveillance Leviathan” that cannot be trusted with the proposed Calibra wallet.
The House Hearing also raised the issue of whether Facebook would be able to pick and choose users of the Calibra wallet – potentially forcing persons to conform their behavior to Facebook standards. In one highlight of the House Hearing, Congressman Sean Duffy waved a twenty-dollar bill in the air while making the point that anyone, including persons who say horrible things, can use a twenty-dollar bill but: “Who can use Calibra?” In response, Mr. Marcus pointed out anyone who could satisfy Calibra KYC requirements – which then begged the loaded follow-up question from Congressman Duffy: “Could Milo Yiannopoulos and Louis Farrakhan use Calibra [given they are both banned from Facebook]?” In response, Mr. Marcus said that an applicable policy hasn’t yet been written but that it was “an important question that [Facebook] needed to be thoughtful about.”
Given Facebook’s poor track record – indeed, former Facebook executives readily acknowledge Facebook holds too much market power and should not be trusted going forward, these and other “important questions” must be answered as soon as possible.
Facebook’s crypto advertising ban and duopolistic reach pretty much sums up why potential users should be careful before jumping on the Libra bandwagon. In what can only be considered ironic, the “Libra Coin” is not even a true cryptocurrency or even built on a blockchain – it is apparently the token for a permissioned payment network that is partially decentralized while requiring the disclosure of sensitive authentication data as well as use of the Calibra wallet owned and operated by Facebook itself. Most importantly, as a node on the network Facebook will also have access to all consumer transaction data flowing on the network. Like icing on a global cake, by being part owner of a de facto bank, Facebook will also get to share in any float interest.
Those premier venture firms and companies who have anted up to align with Facebook’s project may believe in the collective end game but to align now with Facebook simply because of its tremendous reach will likely be a mistake for them as well as the consuming public.
On June 6, 2019, Maine joined a chorus of state legislatures moving on data privacy – this time requiring providers of broadband Internet services to obtain express consent before using a consumer’s personal information. Specifically, the new Maine law reads: “A provider may use, disclose, sell or permit access to a customer’s customer personal information if the customer gives the provider express, affirmative consent to such use, disclosure, sale or access. A customer may revoke the customer’s consent under this paragraph at any time.”
Maine’s law is even more restrictive than California’s Consumer Privacy Act which will deploy an “opt out” mechanism requiring the consumer to inform data processors of their preference. Both Californians and Mainers will have to wait until 2020 to benefit from their respective data privacy laws – with the Maine statute taking effect on July 1, 2020.
As reported in The Hill, tech lobbyists are now exerting their best efforts on obtaining a federal law that will moderate this and other consumer privacy state gains – which is not surprising given even stricter data privacy laws percolating in other states. Whether or not certain data privacy provisions die in a preemption skirmish, data rights will continue their reimagination by market forces so lobbyists alone can never prevail in their clients’ war against true individual data ownership.
New York now is now moving on a bill, S5642, that is even more protective than the California Consumer Privacy Act while New Jersey is in the process of merging two proposed bills that may lead in the same direction. There has been opposition to these proposed laws by those companies who have the most to lose by stringent data privacy controls.
If passed, however, these new laws may actually prod Congress to finally move on a comprehensive privacy framework – one that might preempt aggressive laws such as the ones proposed by New York and New Jersey and the one already passed in California, in favor of a much more tempered approach.
In other words, the Internet Association and its lobbying partners may actually win the war if these bills are enacted and it can just get Congress to act in a preemptive manner. Thankfully, the momentum has been consistently on the side of consumer protection and any hope of bipartisan action on the part of Congress remains a long-shot given the current political environment.
A different sort of threat to Facebook can be found in the decentralized Internet currently being built by start-ups such as Blockstack– which recently filed a SEC Reg A+ offering for $50 million by way of a subsidiary. Blockstack looks to leapfrog centralized platforms such as Facebook by building tools for a “decentralized computing network and app ecosystem” that includes decentralized storage allowing for porting of app data across social media platforms as well as self-sovereign user IDs that would allow for single user identities and passwords across every online application.
More than likely, however, the most damaging threat to Facebook in the near term is the platform’s continued drop in customer engagement. As recognized by Lou Kerner: “On April 24th, 2019, Facebook reported Q1 ’19 earning, and once again, Wall street applauded, sending the shares up 8%, adding another $45 billion in value. While some saw triumph, and others saw further reason to break Facebook up, all I saw was continued decline in the only metric that matters, engagement.”
Kerner’s graphic on the steady decline of daily and monthly active Facebook users is ominous:
Notwithstanding its many privacy transgressions and current regulatory/litigation challenges as well as the future advent of a decentralized Internet, what likely will be the most direct cause of Facebook’s downfall as a platform stems from the simple fact users have been steadily moving away from using it.
Apparently, users have taken the advice of WhatsApp co-founder Brian Acton and have chosen to “delete Facebook.” Even though Facebook, Inc.’s present cash reserve and its other popular applications would likely allow the company to continue as a viable entity for many years even without its eponymous platform, those present users who spend hours each day on Facebook – and have no desire to ever abandon it, might just not be enough to sustain the Facebook platform in the long term.
Simply put, with shrinking levels of engagement the Facebook platform may eventually go from a MySpace to Vine.
On March 20, 2019, the Supreme Court deferred ruling on the settlement of a class action brought against Google. The underlying action was based on Google’s transmission of a users’ search terms, i.e., “referrer headers”, to its actual clients. Class counsel argued that the transmission and storage of these referrer headers was in violation of both federal and state law given those conducting the searches never gave proper consent.
In remanding the case to address a potential lack of standing, the Court ruled “[b]ecause there remain substantial questions about whether any of the named plaintiffs has standing to sue in light of our decision in Spokeo, Inc. v. Robins, 578 U. S. ___ (2016), we vacate the judgment of the Ninth Circuit and remand for further proceedings.” This was obviously the correct ruling given a court cannot even hear a matter unless there is proper standing to sue. Given that the Supreme Court only decides matters properly on appeal and the question of standing was not put before it, the matter required a remand.