The advent of the digital age has dramatically reshaped our notions of privacy. Two tech giants, Facebook and Google, have been pivotal in this transformation. Their business models, built on data collection and sharing, initially led to a lax approach toward user privacy. However, numerous privacy scandals and the resulting backlash have significantly influenced both companies and the broader global attitude toward data privacy.
Background: Facebook's and Google's Initial Stance on Privacy
Facebook and Google thrived on the premise of data collection and sharing. Facebook encouraged users to publicly share personal moments, amassing large volumes of personal data. Similarly, Google's mission to "organize the world's information" necessitated extensive data collection for personalized user experiences and targeted advertising. Mark Zuckerberg, Facebook's CEO, stated in 2010, "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time." Larry Page, Google's co-founder, mirrored this perspective, saying, "We know where you are. We know where you've been. We can more or less know what you're thinking about."
Facebook: A Timeline of Privacy Issues and Evolution
5th December, 2007 - Beacon Program: Facebook's Beacon program, which sent data from external websites to Facebook, was one of the earliest controversies, leading to a significant backlash due to privacy concerns.
22nd April, 2010 - Open Graph: The platform faced criticism for sharing user data with third-party applications without explicit consent.
29th November, 2011 - FTC Settlement: Facebook agreed to a settlement with the FTC over charges of deceiving consumers by failing to uphold privacy promises.
2014 - Cambridge Analytica Scandal: The data of millions of users was harvested without consent for political advertising, leading to a severe breach of user trust.
18th May, 2017 - The EU Merger Regulation's Fine: The European Commission has fined Facebook €110 million for providing misleading information during its acquisition of WhatsApp in 2014.
24th July, 2019 - FTC Fine: Facebook was slapped with a $5 billion fine, the largest in FTC history, for violating a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information.
02nd September, 2021 - WhatsApp faces $267M fine for breaching GDPR: The Facebook-owned messaging app has been under investigation by the Irish DPC, its lead data supervisor in the European Union, since
December 2018 — several months after the first complaints were fired at WhatsApp over how it processes user data under Europe’s General Data Protection Regulation (GDPR), once it begun being applied in May 2018
15 Mar 2022 - GDPR $18.6M Fine: Facebook’s parent company, Meta, has been fined €17 million (~$18.6 million) by the Irish Data Protection Commission (DPC) over a string of historical data breaches. The security lapses in question, which appear to have affected up to 30 million Facebook users, date back several years - and had been disclosed by Facebook to the Irish regulator in 2018
28th November, 2022 - GDPR €265 million Fine for Meta: Facebook parent Meta was fined by the Irish Data Protection Commission (DPC) €265 million fine on 28 November 2022, for the period of 2018 and 2019, for breaching European data protection law. The breach resulted in more than 500 million users' details being published online. The data was hacked and included names, Facebook IDs, mobile phone numbers, real addresses, birth dates, and email addresses of people from more than 100 countries. The Irish watchdog said a 'significant' number of these users were from the EU.
23rd December, 2022 - Cambridge Analytica scandal $725m fine: Facebook owner Meta has agreed to pay $725m (£600m) to settle legal action over a data breach linked to political consultancy Cambridge Analytica. The long-running dispute accused the social media giant of allowing third parties, including the British firm, to access Facebook users' personal data. The proposed sum is the largest in a US data privacy class action.
22 May 2023 - IE DPA €1.2B Fine: Following the EDPB’s binding dispute resolution decision of 13 April 2023, Meta Platforms Ireland Limited (Meta IE) was issued a 1.2 billion euro fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA). This fine, which is the largest GDPR fine ever, was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020. Furthermore, Meta has been ordered to bring its data transfers into compliance with the GDPR.
Google: A Timeline of Privacy Issues and Evolution
15th May, 2010 – Google Street View: Google admitted to unintentionally collecting data from unencrypted WiFi networks, which included emails and passwords, since 2006.
9th August, 2012 – Safari Workaround: Google paid a $22.5 million penalty to the FTC for misrepresenting how it tracked Apple’s Safari browser users.
13th May, 2014 – Right to be Forgotten: A case lost in the EU Court of Justice led to the enforcement of the “right to be forgotten,” requiring Google to delist certain individuals’ information upon request.
21st January, 2019 – GDPR Fine: Google was fined €50 million by the French data protection watchdog CNIL for failing to adequately disclose how data was collected across its services for targeted advertising. CNIL said that the fine was issued because Google failed to provide enough information to users about its data consent policies and didn’t give them enough control over how their information is used.
4th September, 2019 – FTC Fine: Google and its subsidiary, YouTube, agreed to pay a $170 million fine for violating children’s privacy by collecting personal information from minors without parental consent.
31st December, 2021 – CNIL GOOGLE €150M Fine: the CNIL fined GOOGLE a total of 150 million Euros because users of google.fr and youtube.com can’t refuse or accept cookies as easily. Several clicks are required to refuse all cookies, against a single click to accept them.
28th December, 2022 – GDPR $57M Fine: France’s data protection authority, CNIL, fined Google €50M Euros – almost $57M, alleging the company violated the EU’s General Data Protection Regulation (GDPR) particularly with the way it handles ad personalization. CNIL says the collected consent Google carries out isn’t “specific” or “unambiguous,” terms outlined by GDPR. This also makes it difficult for users to understand the “plurality of services” – a la Google, YouTube, Google Maps, Google Photos, etc. – their data will be used, processed, and combined across, CNIL says.
Shift in Privacy Posture and Consumer Impact
Facebook’s Cambridge Analytica scandal, which resulted in users’ data being used without explicit consent, sparked global outrage and undermined user trust. A notable example is user David Carroll, who discovered Cambridge Analytica had created a 10-page file on him based on his Facebook activity.
Google’s Safari workaround scandal similarly breached user trust by bypassing privacy settings and tracking users without consent. One of the most concerning cases involved an Oregon couple whose private conversations were recorded by their Google Home device and sent to a random contact.
Since these scandals, both Facebook and Google have publicly shifted their privacy stance. Facebook announced a transition into a “privacy-focused communications platform,” promising better encryption and secure data storage. Similarly, Google proposed phasing out third-party cookies and improving privacy controls.
Regulatory and Legislative Changes Due to Privacy Infractions
Privacy scandals involving Facebook, Google, and other tech giants have propelled regulatory changes worldwide to protect user data. In the European Union, the General Data Protection Regulation (GDPR) was implemented in 2018 to strengthen data protection for individuals. The GDPR imposes hefty fines for data breaches and mandates companies to obtain user consent before data collection.
Similarly, the California Consumer Privacy Act (CCPA) came into effect in 2020 in the United States, granting consumers the right to know what personal information is collected, the right to delete personal information held by businesses and the right to opt out of the sale of personal information.
In other parts of the world, such as India, new data protection legislation is being proposed to place stricter controls on how personal data is used and impose penalties for misuse.
Legislative changes are also being considered globally, such as the proposed ePrivacy Regulation in the EU, which will further tighten the rules around electronic communications. However, these regulations also face challenges. Critics argue that they can stifle innovation and place undue burdens on smaller businesses that don’t have the resources of tech giants like Facebook and Google. Furthermore, different regulations in various jurisdictions create a patchwork of privacy laws, complicating compliance for businesses operating globally. While these regulations represent a significant step forward in the fight for digital privacy, finding the right balance between protecting user data, enabling technological innovation, and facilitating global business remains an ongoing challenge.
The journey of Facebook and Google provides a vivid illustration of the evolving privacy narrative in our digital era. Their histories of privacy controversies have triggered a seismic shift in the global privacy discourse and have served as a stark reminder to all companies of the paramount importance of prioritizing user privacy. Despite their public commitments to bolstering privacy, these tech giants continue to face the daunting task of rebuilding user trust, and the efficacy of their privacy measures remains a contentious topic.
The complexities inherent in navigating this ever-evolving landscape of privacy risk management underscore the need for expert guidance. It was in response to these challenges that Privaini was founded. With a mission to provide trust and peace of mind to clients and their customers, Privaini helps businesses traverse this intricate web of privacy concerns, ensuring compliance with legislation, preventing infractions, and cultivating a culture of privacy, respect, and customer focus. The transformative journeys of Facebook and Google highlight the importance of firms like Privaini in today’s interconnected, data-driven world.