Has Facebook violated user consent rules?
The concern now is that Facebook, together with many of the most popular Android apps in the world, might be violating European privacy law. In May 2018, the European General Data Protection Regulation (GDPR) went into effect, and the law specifically notes that companies cannot collect information on users in the European Union without user consent, and that any information collected cannot be used to identify the user. EU user consent rules, then, are much stricter now than those currently in place in the U.S.
So the question really becomes a legal one that will rest considerably upon the term “user consent.” As spelled out by the European GDPR, user consent “must be freely given, specific, informed and unambiguous.” Thus, the fact that the Facebook SDK was being used to transmit information without first having a chance to ask for user consent is particularly troublesome.
Moreover, one could plausibly argue that user consent is no longer “informed” or “unambiguous.” That’s because Privacy International found that user data was being transmitted to Facebook even when the Android phone user did not have a Facebook account! A person without a Facebook account (and even a person who is logged out of his or her Facebook account) would have a reasonable expectation that no data was being shared with Facebook, right? That was not the case with 20 of the 34 apps tested by Privacy International.
And, complicating matters even further, the Privacy International report suggests that any “opt-out” policy from Facebook is basically worthless. Privacy International tested opt-outs for Facebook’s cookies policy and found “no discernible impact” from opting out. In other words, Facebook is going to track you, whether you like it or not.
Regulatory enforcement actions on the horizon
So what happens next? As might be expected, Facebook has thus far said all the right things, just as it did after the Cambridge Analytica scandal came to light. In comments about the report, Facebook has said that it is working to correct the SDK. And the Silicon Valley social network agrees that users should always have the right to know when apps are transmitting their personal data and when data is collected. In words, at least, Facebook has thrown its support behind the concept of user consent.
But haven’t we heard this story before? Facebook first claims to have fixed all the old problems. Then, when those claims are proven to be false (or, at least, highly inaccurate), Facebook promises to mend its bad habits. Then, when talk starts to build about regulatory enforcement and financial penalties, Facebook begins a public relations offensive, promising that its self-regulation will be better and stronger than any that can be imposed by data protection regulators. The only problem is, regulators may finally tire of this strategy and begin to punish Facebook for its continual – and some might say ubiquitous – efforts to collect personal data from users, often without their knowledge or user consent.