Comment: Leaked document revealing Facebook data flaws


A leaked Facebook document has alarmingly revealed to the world how the mega social media giant is unable to account for the utilisation of most of the personal data it holds.

It’s a worrying development for billions of Facebook users and it could be the biggest red flag yet to governments that companies that become ‘too big to fail’, but often do, need to be more tightly regulated.

Leaked documents aside, the issue also raises a more immediate question of compliance amid a wave of data privacy legislation across the world.

So what do those in the sector have to say about Facebook’s lack of data control?…

Paul Coggins adludioPaul Coggins, Co-Founder and CEO, Adludio

“The Facebook news is not surprising. For almost two decades, the platform’s business model has been based on monetising the personal data of its almost three billion users.

“GDPR, and the world’s move towards data privacy, shook this model to the core and so the fact that Facebook has no quick or easy fix was, of course, to be expected.

“Obviously data compliance now needs to be baked into companies, and this is clearly not the case with the world’s largest social network. 

“But the conversation should not just be about compliance. Indeed, tracking customers was what got us into this situation, whereas we should have been speaking to them.

“Creativity, therefore, in engaging and interactive ads, should be prioritised and technologies toward it should be engaged with. Not only do creative ads avoid the privacy obstacle, but they lead to more meaningful brand experiences. 

“This will also move us on from the public distrust in digital ads that Facebook helped cause.”

Tim Spratt, CTO & co-founder, Permutive (1)Tim Spratt, Co-Founder, Permutive

“What the recent Meta breach shows is that despite being closed ecosystems, walled gardens aren’t immune from the impact of privacy regulation. 

“This is especially pertinent considering the rise in closed platforms as an answer to the deprecation of third-party data. 

“In reality, consent is far bigger than the removal of cross-context identifiers – it sits at the heart of every first-party data company now, and the ability to control first-party usage is critical to being able to legally operate a business.

“Meta’s Facebook platform was built in an era of unfettered data, where loose constraints were applied within its four walls. 

“The regulatory requirement is to have full oversight and understanding of the data within these walls and enforce users’ preferences. 

“The information coming from the leak suggests this isn’t the case for Meta, and their ads business is likely non-compliant with the GDPR and upcoming privacy regulations in other jurisdictions.

“Going forward, the ability to track and enforce consent of first-party data at a granular level can’t just be a bolt-on – it must be treated with the highest importance. 

“Ultimately, Meta’s existing infrastructure design makes it technically infeasible for them to meet GDPR requirements such as the right to erasure, leaving them with a ticking regulatory time bomb. 

“Ensuring consent is a first-class consideration requires rearchitecting first-party data platforms from the ground up, as evidenced by the large investment Meta proposes in the leak, and we’re seeing parties in the independent ad-tech ecosystem start to think seriously about their responsibilities and the vendors they work with.”

gabe morazanGabe Morazán, Product Director, Sourcepoint

“One of the main issues highlighted by the leaked document is specifically related to purpose limitation. 

“This has been one of the most difficult aspects of regulatory compliance for many apps, including Facebook, because they amassed consumer data without ever engaging in meaningful dialogue with the user about how it would be used. 

“It’s much harder to reverse engineer the data provenance and purpose limitation than to build with that in mind.

“This is a great example of why enterprise applications struggle with data privacy, particularly purpose limitation. They simply weren’t built with privacy in mind. 

“In a race to embrace agility and cloud transformation, enterprise applications have decoupled and decentralised customer data making it difficult to track where customer data is going and how it’s being used.

“In addition, it highlights the need for compliance teams to operationalise data privacy and embed ‘privacy by design’ practices throughout the organisation or they’ll continue to face massive disruptions each time a new law is introduced or an existing law is changed. 

“It’s no longer acceptable to do the bare minimum when it comes to customer trust and privacy.”

See also:

Comment: Adtechs on Google updating its EU cookie consent banners