Customer Personalization and Data Privacy: 6 Facebook Takeaways for CMOs

Last spring when news broke that controversial political data analytics provider Cambridge Analytica had accessed up to 87 million Facebook profiles, the fallout was intense.

Less than a year later, the company is more mired than ever in controversy, but the scandal has served as a catalyst for consumers’ growing awareness about the amount of personal data that’s collected, as well as how much responsibility organizations take in safeguarding it and using it for such efforts as customer personalization.

So what lessons can be learned from what happened to Facebook?

This is an excellent opportunity for marketers to think about how consumer privacy protection can guide marketing strategy. These are our biggest takeaways.

1. Customer privacy must always be a priority.

   A few weeks after the initial revelation, Facebook announced that it had redesigned its settings in a move to calm user backlash. New privacy controls included access to an intuitive settings menu as well as additional shortcuts for controlling private information. One thing the company finally did was make privacy settings easier to find (rather than burying them far out of site). This was a big step for a company that had previously pushed through frequent, unannounced privacy changes that made it seem like securing personal information was an afterthought. Importantly, the redesign announcement showed it was trying to change.

   What we’ve all learned is that a reactive approach to privacy doesn’t inspire confidence, and it won’t fix things after the damage has been done. A better approach is to proactively set up accessible privacy policies and controls for all customers. Then, clearly and consistently communicate how much your organization values customer privacy. And when things change or policies are updated — always keep customers informed so no one’s caught off guard. This goes a long way to inspiring consumer confidence.

2. Limiting (and monitoring) third-party access helps prevent partners from misusing data.

   Cambridge Analytica accessed Facebook user data through a third-party personality quiz app, which grabbed the data of people using it as well as that of their friends. In other words, people who didn’t even take the quiz had their data privacy compromised. In the aftermath, as Facebook’s privacy practices came under scrutiny, it became clear that once data reached outside entities, Facebook had no way to know how the data was used. Five days after the news broke, Mark Zuckerberg laid out steps to change things, including audits to prevent further data misuse.

   Organizations that are serious about keeping their reputations intact may not always be able to trust that the companies they do business with will do the right thing. Make customer data protection a priority at your company by instituting regular audits without waiting for bad actors to make it a necessity.

   Make customer data protection a priority at your company by instituting regular audits without waiting for bad actors to make it a necessity.

3. Keep nonuser data off-limits.

   During Zuckerberg’s testimony to members of Congress, it came to light that Facebook collects data on people even if they’ve never signed up for the social network (for “security purposes”). The company also targets nonusers with ads regardless of whether they’ve consented to them. So while the controversy grew larger, and Facebook users began announcing plans to delete their profiles, it was clear that the company’s policies meant their data couldn’t so easily escape its wide-ranging reach.

   With data breaches growing exponentially every year, it doesn’t make sense for companies to take the risk of collecting and storing data about people who aren’t even using their website. There’s certainly the public relations angle to consider; more importantly, there are legal implications that weigh even more heavily. Consumers are protected by key new regulations such as the GDPR and CCPA, a topic covered in a recent Treasure Data blog post, GDPR vs. CCPA – What You Still Need to Do to Comply.

4. Early disclosure and a proactive response helps to defuse a situation.

   In his April 2018 Congressional testimony, Zuckerberg stated: “In 2015, we learned from journalists at The Guardian that Kogan had shared data from his app with Cambridge Analytica…. Last month, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified.” In other words, Facebook likely knew about the data privacy problem already, and relied on Cambridge Analytica’s promise to delete it. As a result, when the truth came to light, accusations flew that it hoped the problem would just go away and no one would ever find out.

   Ultimately, organizations that improperly handle customer data or act slowly in response to data privacy loss, data leaks, and cybersecurity breaches suffer the worst outcomes in terms of public confidence, damaged reputations, and potentially legal action. An early, proactive response is essential.

   Some tips for what to do when a possible data breach happens to your company, or to a close partner:

   • Understand what happened.

     If a breach occurs, you’ll need to conduct a full investigation to determine how many files were affected, the type of data that was exposed, and how people can further protect themselves against the incident.

   • Know your data.

     If you understand how your company collects, stores, and handles data, you’re better prepared to protect it from a data breach. Ideally, there’s a single platform where everything is stored, so that it’s easier to track and manage.

   • Research federal/state regulations.

     Breach legislation varies by state. Make sure you know who requires notification, as well as turnaround time and delivery methods. Discuss regulations with legal counsel and your breach response team.

   • Create a response plan.

     Employees that handle sensitive data should be educated on proper cybersecurity habits, common online threats, and what to do in the event of a breach.

5. Don’t blame anyone else.

   Zuckerberg ends his blog post about the incident by stating, “I started Facebook, and at the end of the day I’m responsible for what happens on our platform.” We couldn’t agree more. To be taken seriously when things go awry, it’s best to admit fault right from the start and sincerely apologize for how you’ve let people down. Then, follow up with what you’ll do to make sure nothing like this happens again. Explaining what happened is important, too. But if you’ve acted swiftly and demonstrated your commitment to fixing things, people won’t necessarily be concerned with the nitty-gritty details.

6. Embrace transparency — it’s insurance against data privacy scandals.

   Public trust in corporations is at an all-time low. By making a good faith effort to reveal crucial details to your customers about how their data is used, you’ll go far in building trust. Obscure or esoteric terms and conditions and hidden data privacy settings make your company look bad. Honesty is usually the best policy.

   People expected to sacrifice a little bit of their privacy when they signed up with Facebook. Fueling the public outrage was that people started to realize how little they knew about what was being done with their data. In the months that followed, Facebook worked on rectifying matters by being more transparent. But other privacy-related revelations have since emerged, so it’ll be a long road before the public trusts Facebook again.

On a positive note

Facebook’s problems have certainly been an eye-opener for everyone who works with customer data. They are also a valuable reminder to organizations that privacy and leak prevention cannot be taken lightly. The health of your business depends on it, so it’s a good idea to take positive action now and assess how your company handles privacy and customer data.