Facebook and the FTC: A Wake-Up Call for Companies Collecting Personal Data

By: Michelle Cohen

The FTC is reported to be joining state and international regulators in examining Cambridge Analytica’s actions with data accessed from Facebook, including how the data analytics company obtained the information, what it did with the information, and whether Facebook complied with existing obligations, including a 2012 FTC consent decree.

The situation underscores the importance of and need for clearly defined regulations governing corporate practices like terms and conditions and privacy policies. If a company does not meet the standards, then the regulators can address the non-compliance utilizing enforcement mechanisms. But, at least companies would have a baseline for what the organizations should be doing to protect personal data in this increasing data-ripe online environment. FTC Commissioner McSweeny echoed this sentiment, issuing a statement expressing concern about the Cambridge Analytica situation and calling for “stronger protections for the digital age such as comprehensive data security and privacy laws to protect consumers.”

By now, most readers of our blog know that European countries place stricter controls on guarding personal information than under U.S. law. In fact, the General Data Protection Regulation goes into effect in the EU in just two months, and imposes significant obligations on organizations, requiring them to protect personal information and significantly restricting their ability to use and share that information. In most instances, an individual’s consent is required. In the U.S., aside from certain sector-specific regulations (such as children’s privacy and financial privacy), there is no national standard concerning data protection or data breaches. Rather, there is a patchwork of state requirements relating to breaches. As to personal information collection, the FTC has taken action against companies deemed not to be providing sufficient levels of security or failing to abide by their own privacy promises. (In other words, say what you do and do what you say, or be fined).

Instead of having a patchwork of often vague requirements, the Cambridge Analytica situation presents an opportunity to provide individuals and organizations with clear standards on how companies should treat personal data, especially data provided and shared online. While the U.S. may not want to mimic GDPR (as we generally take a more open market approach), having articulated standards for data security and the access, use and sharing of personal information would provide needed guidance to the industry and give individuals a better understanding of personal information collection, use and disclosure.

Undoubtedly, Cambridge Analytica’s actions and Facebook’s protocols and responses will serve as a “wake up” call of a broader sense for a wide range of companies collecting personal data.