Facebook’s New Era: The Regulatory Implications of the Cambridge Analytica Incident

Posted on April 11, 2018

Moin Syed
Moin Syed
Manager Technology, Media and Telecommunications Research

The collection and monetization of users’ data is a core part of Facebook’s strategy. However, Cambridge Analytica’s (CA) unauthorized collection and exploitation of this data exposes both the breadth and complexity of the information it has on individuals as well as the insidious nature of the methods used to collect it.

The digital profiles created from users’ data can give Facebook and its partners extremely intimate insight into an individual’s life — from spending habits to political leanings. These datasets are highly sought after for intelligent targeting purposes. The use cases vary from a company promoting kitchen appliances to activities with broader social impact, such as shaping public opinion through the dissemination of misinformation.

The CA story has opened a Pandora’s box of regulatory risks for Facebook and the fallout could have meaningful consequences for companies that rely on advertising-driven business models. Many advocates of stronger, more sophisticated privacy regulation feel vindicated, but these sentiments are not only coming from regulators. Technology companies, such as Apple and IBM, are also speaking out. Apple’s CEO, Tim Cook called for strong privacy regulations to prevent abuse of user data.

Sustainalytics has been flagging risks associated with data privacy and security in our Environmental, Social and Governance (ESG) research for several years. For companies, the challenge of balancing stakeholder trust with aggressive data monetization inherently raises exposure to regulatory, legal and reputational risks. [1]


Privacy Concerns At A Fever Pitch

The fallout from the CA crisis has drastically elevated privacy concerns from regulators. Scrutiny is escalating in multiple jurisdictions, including the United States, Canada, the UK, the European Union, India, Australia and Israel. One key risk for Facebook is related to the 2011 consent decree it signed with the US Federal Trade Commission (FTC). The consent decree was part of a settlement related to previous instances of unauthorized access to user data by third-party applications. In a rare move, the FTC confirmed that it launched a non-public investigation into whether Facebook violated the agreement.

Moreover, Facebook was aware of CA’s unauthorized access in 2015, but did not publicly disclose the violation. Some shareholders have already filed lawsuits claiming the company withheld material information and these lawsuits could spur the US Securities and Exchange Commission (SEC) to investigate whether Facebook was obligated to disclose this information back in 2015. The SEC has issued guidelines on how companies should approach cybersecurity and related disclosure since 2011, including a February 2018 guidance that advised companies to “take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”

The CA episode has perpetuated legitimate fears that there are more cases of user privacy being violated. Following the CA story, additional allegations surfaced including claims that Facebook recorded call logs and data from Android-based users. Facebook has since disclosed that the data of all its 2 billion-plus users could have been improperly accessed. Given the materiality of user data to Facebook’s core business (Facebook has lost billions in market cap since March 17th), these concerns could make it difficult for Facebook to continue to monetize its considerable data assets without triggering additional scrutiny. As the EU’s Global Data Protection Regulation (GDPR) comes into force in May 2018, Facebook should expect enhanced scrutiny in Europe of how it approaches user data monetization as well as its overall data supply chain. In the aftermath of CA, companies like Facebook will likely need to take comprehensive action to ensure that anyone with access to their data, including third parties, follows strong privacy and security protocols. This means a potentially limited upside from data monetization as restricted data sharing could limit Facebook’s appeal to advertising and other business partners.

What’s Next?

Facebook and other companies with user data monetization models have a long, and likely never ending, road ahead in winning back the trust of stakeholders, including regulators. However, the regulatory scrutiny Facebook is under is part of a larger trend that we expect to continue. Most companies, especially those handling sensitive data, are highly exposed to privacy breaches and cybersecurity risks. As responsible investors assess their portfolios and develop engagement approaches, it would be prudent to consider data privacy and security risks alongside “traditional ESG issues.” In many cases, these risks may fly under the radar until there is a major event that escalates the issue much like the Cambridge Analytica scenario.

[1] See our publications: 2016 ESG Spotlight report on data privacy, 10 for 2017 story on cybersecurity; 10 for 2018 story on digital antitrust; 2017 ESG Spotlight report on fake news; and our Special Alert downgrades on Facebook, Equifax, Yahoo! and Alphabet

Recent Content

Physical Climate Risks: 6 Things Portfolio Managers Need to Know

The negative physical impacts of climate change are being felt by communities and corporations globally and are likely to get worse in the coming years. The knock-on costs of more frequent “once-in-a-century” climate events on economies are likely to rise. To prepare for this looming threat, investors must forecast the asset-level effects of climate change on companies in a granular and sophisticated way. Here are six things portfolio managers should know to manage and mitigate the physical risks of climate change to their portfolios and meet growing list of climate-focused reporting requirements.

human rights

Applying Business and Human Rights International Standards to Investor Due Diligence

Socially conscious ESG investors are interested in how to implement international business and human rights norms in their portfolios and understand the potential impacts of applying additional screening criteria within their strategy.

wireless users network outage

Telecom Network Outages, the ESG Risks of a Connected World

The telecom industry is exposed to several Material ESG Issues, including Data Privacy and Security, Business Ethics, Human Capital and Product Governance. Product Governance issues in the telecom industry include service quality, maintaining reliable, high-speed networks, and responding to customer billing concerns.

ESG Risk Data Center

ESG Risks Affecting Data Centers: Why Water Resource Use Matters to Investors

Data centers play a critical role for many technology and telecom companies and for their supporting servers, digital storage equipment and network infrastructure for data processing and storage. Data centers require high volumes of water directly for cooling purposes and indirectly, through electricity generation. Morningstar Sustainalytics’ recent activation of the Resource Use Material ESG Issue (MEI) within its ESG Risk Ratings recognizes water risks of data centers.