A New Era for Facebook: The Regulatory Implications of the Cambridge Analytica Incident
by Moin Syed
The collection and monetization of users’ data is a core part of Facebook’s strategy. However, Cambridge Analytica’s (CA) unauthorized collection and exploitation of this data exposes both the breadth and complexity of the information it has on individuals as well as the insidious nature of the methods used to collect it.
The digital profiles created from users’ data can give Facebook and its partners extremely intimate insight into an individual’s life — from spending habits to political leanings. These datasets are highly sought after for intelligent targeting purposes. The use cases vary from a company promoting kitchen appliances to activities with broader social impact, such as shaping public opinion through the dissemination of misinformation.
The CA story has opened a Pandora’s box of regulatory risks for Facebook and the fallout could have meaningful consequences for companies that rely on advertising-driven business models. Many advocates of stronger, more sophisticated privacy regulation feel vindicated, but these sentiments are not only coming from regulators. Technology companies, such as Apple and IBM, are also speaking out. Apple’s CEO, Tim Cook called for strong privacy regulations to prevent abuse of user data.
Sustainalytics has been flagging risks associated with data privacy and security in our Environmental, Social and Governance (ESG) research for several years. For companies, the challenge of balancing stakeholder trust with aggressive data monetization inherently raises exposure to regulatory, legal and reputational risks. 
Privacy Concerns At A Fever Pitch
The fallout from the CA crisis has drastically elevated privacy concerns from regulators. Scrutiny is escalating in multiple jurisdictions, including the United States, Canada, the UK, the European Union, India, Australia and Israel. One key risk for Facebook is related to the 2011 consent decree it signed with the US Federal Trade Commission (FTC). The consent decree was part of a settlement related to previous instances of unauthorized access to user data by third-party applications. In a rare move, the FTC confirmed that it launched a non-public investigation into whether Facebook violated the agreement.
Moreover, Facebook was aware of CA’s unauthorized access in 2015, but did not publicly disclose the violation. Some shareholders have already filed lawsuits claiming the company withheld material information and these lawsuits could spur the US Securities and Exchange Commission (SEC) to investigate whether Facebook was obligated to disclose this information back in 2015. The SEC has issued guidelines on how companies should approach cybersecurity and related disclosure since 2011, including a February 2018 guidance that advised companies to “take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”
The CA episode has perpetuated legitimate fears that there are more cases of user privacy being violated. Following the CA story, additional allegations surfaced including claims that Facebook recorded call logs and data from Android-based users. Facebook has since disclosed that the data of all its 2 billion-plus users could have been improperly accessed. Given the materiality of user data to Facebook’s core business (Facebook has lost billions in market cap since March 17th), these concerns could make it difficult for Facebook to continue to monetize its considerable data assets without triggering additional scrutiny. As the EU’s Global Data Protection Regulation (GDPR) comes into force in May 2018, Facebook should expect enhanced scrutiny in Europe of how it approaches user data monetization as well as its overall data supply chain. In the aftermath of CA, companies like Facebook will likely need to take comprehensive action to ensure that anyone with access to their data, including third parties, follows strong privacy and security protocols. This means a potentially limited upside from data monetization as restricted data sharing could limit Facebook’s appeal to advertising and other business partners.
Facebook and other companies with user data monetization models have a long, and likely never ending, road ahead in winning back the trust of stakeholders, including regulators. However, the regulatory scrutiny Facebook is under is part of a larger trend that we expect to continue. Most companies, especially those handling sensitive data, are highly exposed to privacy breaches and cybersecurity risks. As responsible investors assess their portfolios and develop engagement approaches, it would be prudent to consider data privacy and security risks alongside “traditional ESG issues.” In many cases, these risks may fly under the radar until there is a major event that escalates the issue much like the Cambridge Analytica scenario.
 See our publications: 2016 ESG Spotlight report on data privacy, 10 for 2017 story on cybersecurity; 10 for 2018 story on digital antitrust; 2017 ESG Spotlight report on fake news; and our Special Alert downgrades on Facebook, Equifax, Yahoo! and Alphabet