Facebook’s New Era: The Regulatory Implications of the Cambridge Analytica Incident

Posted on April 11, 2018

Moin Syed
Moin Syed
Manager Technology, Media and Telecommunications Research

The collection and monetization of users’ data is a core part of Facebook’s strategy. However, Cambridge Analytica’s (CA) unauthorized collection and exploitation of this data exposes both the breadth and complexity of the information it has on individuals as well as the insidious nature of the methods used to collect it.

The digital profiles created from users’ data can give Facebook and its partners extremely intimate insight into an individual’s life — from spending habits to political leanings. These datasets are highly sought after for intelligent targeting purposes. The use cases vary from a company promoting kitchen appliances to activities with broader social impact, such as shaping public opinion through the dissemination of misinformation.

The CA story has opened a Pandora’s box of regulatory risks for Facebook and the fallout could have meaningful consequences for companies that rely on advertising-driven business models. Many advocates of stronger, more sophisticated privacy regulation feel vindicated, but these sentiments are not only coming from regulators. Technology companies, such as Apple and IBM, are also speaking out. Apple’s CEO, Tim Cook called for strong privacy regulations to prevent abuse of user data.

Sustainalytics has been flagging risks associated with data privacy and security in our Environmental, Social and Governance (ESG) research for several years. For companies, the challenge of balancing stakeholder trust with aggressive data monetization inherently raises exposure to regulatory, legal and reputational risks. [1]

Privacy Concerns At A Fever Pitch

The fallout from the CA crisis has drastically elevated privacy concerns from regulators. Scrutiny is escalating in multiple jurisdictions, including the United States, Canada, the UK, the European Union, India, Australia and Israel. One key risk for Facebook is related to the 2011 consent decree it signed with the US Federal Trade Commission (FTC). The consent decree was part of a settlement related to previous instances of unauthorized access to user data by third-party applications. In a rare move, the FTC confirmed that it launched a non-public investigation into whether Facebook violated the agreement.

Moreover, Facebook was aware of CA’s unauthorized access in 2015, but did not publicly disclose the violation. Some shareholders have already filed lawsuits claiming the company withheld material information and these lawsuits could spur the US Securities and Exchange Commission (SEC) to investigate whether Facebook was obligated to disclose this information back in 2015. The SEC has issued guidelines on how companies should approach cybersecurity and related disclosure since 2011, including a February 2018 guidance that advised companies to “take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”

The CA episode has perpetuated legitimate fears that there are more cases of user privacy being violated. Following the CA story, additional allegations surfaced including claims that Facebook recorded call logs and data from Android-based users. Facebook has since disclosed that the data of all its 2 billion-plus users could have been improperly accessed. Given the materiality of user data to Facebook’s core business (Facebook has lost billions in market cap since March 17th), these concerns could make it difficult for Facebook to continue to monetize its considerable data assets without triggering additional scrutiny. As the EU’s Global Data Protection Regulation (GDPR) comes into force in May 2018, Facebook should expect enhanced scrutiny in Europe of how it approaches user data monetization as well as its overall data supply chain. In the aftermath of CA, companies like Facebook will likely need to take comprehensive action to ensure that anyone with access to their data, including third parties, follows strong privacy and security protocols. This means a potentially limited upside from data monetization as restricted data sharing could limit Facebook’s appeal to advertising and other business partners.

What’s Next?

Facebook and other companies with user data monetization models have a long, and likely never ending, road ahead in winning back the trust of stakeholders, including regulators. However, the regulatory scrutiny Facebook is under is part of a larger trend that we expect to continue. Most companies, especially those handling sensitive data, are highly exposed to privacy breaches and cybersecurity risks. As responsible investors assess their portfolios and develop engagement approaches, it would be prudent to consider data privacy and security risks alongside “traditional ESG issues.” In many cases, these risks may fly under the radar until there is a major event that escalates the issue much like the Cambridge Analytica scenario.

[1] See our publications: 2016 ESG Spotlight report on data privacy, 10 for 2017 story on cybersecurity; 10 for 2018 story on digital antitrust; 2017 ESG Spotlight report on fake news; and our Special Alert downgrades on Facebook, Equifax, Yahoo! and Alphabet

Recent Content

automotive production in Ukraine

ESG Implications of Russia’s Invasion of Ukraine on the Automotive Industry

The Russia-Ukraine conflict has put more pressure on a sector that was already constrained by the disrupted supply chains, brought about by pandemic-induced congestions and shortages. Additionally, the surge in fuel price is already affecting customers, although it may accelerate the adoption of electric vehicles (EVs) as a side effect. However, the scarcity of minerals, which are necessary for semiconductor manufacturing, may further exacerbate the chip shortage that has afflicted the automotive industry since 2020.

diverse patients waiting

Addressing ESG Risk in a Shifting Landscape for Clinical Trial Diversity

Low diversity in clinical trials increases the risk of unforeseen side effects, only discovered after the drug hits the market, exposing patients to harm and companies to litigation.

Russia-Ukraine Crisis Could Spell Unforeseen ESG Risks for Insurers

Russia-Ukraine Crisis Could Spell Unforeseen ESG Risks for Insurers

The Russia-Ukraine conflict and the subsequent sanctions on Russian entities have led to material and wide-ranging impacts on diversified sectors and international firms. However, company disclosures and other sources suggest that the conflict’s primary impact on the global insurance industry is limited for two main reasons

aviation in Ukraine ESG

ESG Implications of Russia’s Invasion of Ukraine on the Aviation and Defense Sectors

The aviation industry is feeling the impact of rising fuel costs as an immediate repercussion of the conflict in Ukraine. In particular, the airline sector is still facing significant challenges in mounting a steady recovery from the COVID-19 crisis. On the other hand, the defense industry may be presented with opportunities in light of increased government spending in the aftermath of the invasion.