Facebook Data Breach & Advertising Transparency

By, Jessica Groopman, Jaimy Szymanski, Rebecca Lieb, and Jeremiah Owyang of Kaleido Insights.

Topic: Facebook Data Breach & Advertising Transparency

Example: Cambridge Analytica

Impact Analysis: Humans (consumers and end users) and Businesses

Confusion still swirls around what really happened (the news cycle on this story has been so unrelenting that we’ve postponed our analysis for weeks, in fact). It’s known that a researcher shared Facebook data with Cambridge Analytica, which was used to influence the 2016 presidential election. As a result of the breach, Facebook could be fined millions and faces increased regulation, both in the U.S. and abroad.

It wasn’t just the data breach that put Facebook in the crosshairs of scandal and governmental investigations in both the U.S. and Europe, but also revelations that trolls linked to Russia spent significantly on ads in the 2016 U.S. presidential election.

Earlier this month, a chastened Mark Zuckerberg, as well as executives from across the company, spent much of F8 working to assure developers — and the world at large — that the company in the future would focus its efforts on using technology “for good.”

Kaleido Insights Analyst Rebecca Lieb recently spoke with a representative from Facebook about the series of steps the social network will take over time to help build consumer trust again. The first of those steps: Facebook will shut down its partners category advertising product. In other words, the company will stop using data that comes in from third-party brokers for advertising purposes. This marks a loss of revenue for the company from a premium ad product.

On the heels of that announcement, Facebook also said it is building a certification tool that will require advertisers to confirm they received user permission before using email addresses to target advertising on the social network. More recently, it has suspended 200 apps on the platform that are suspected of misusing customer data.

Bringing us to last week, when Facebook announced still more measures. Electoral and issue-based ads (e.g. abortion, education, guns, health, immigration, military and terrorism) on Facebook and Instagram will be archived and display a “paid for by” disclaimer. This is intended to prevent political and social-cause advertisers from promoting content under throwaway or misleading page names. The archive will include campaign information such as budget, audience reach, and demographics. Advertisers will also be compelled to verify both their location and identity before ads will be accepted by Facebook.

Sure, Facebook will require advertisers to pledge “all is well and good” with their data collection and use. But … what’s an advertiser’s word worth? Many in the blockchain community aren’t just pointing to the need for trust around B2C data collection, but across the B2B media supply chain as well.  

Three years ago, Facebook reported that Cambridge Analytica certified that the ill-gotten data had been deleted. As did the researcher who obtained it. Facebook later received information that some of the user data had, in fact, not been purged. The New York Times has reported that at least some of the data still exists.

It should be noted that some of Facebook’s recent announcements encompass things the company had to do anyway to be GDPR compliant. Implementing change isn’t something Facebook can do quickly; it would be turning the proverbial battleship. It begs the question: did the Cambridge Analytica scandal offer a platform to promote Facebook’s  efforts already underway to adhere to GDPR compliance?

Consumer Impact

Does the breach matter to consumers? The average Facebook user isn’t paying undue attention to the scandal, which has no immediate impact on their life, platform usage, or user experience. The data were used for long-term manipulation, not product marketing or a direct violation of user privacy. This is less tangible to users, making it less likely to incite extreme action like deleting their accounts or protesting the social network. Unlike other major brands that have suffered data theft, Facebook did not notify those users whose data was compromised. This will now be required under GDPR, within 72 hours of incident.

What should digital leaders (marketing, sales, customer care, and security) do?

No major advertisers have pulled off the platform as a result of the breach (other than a handful leveraging the PR value). But, advertisers will have to make a significant change: no longer using third-party data.

Advertisers should also applaud Facebook’s move toward greater transparency around political ads and demand that the platform shift many of its new political ad transparency practices to apply to ads across the spectrum. Certainly disclosure practices: who paid for an ad; what the targeting parameters are; and where that organization is based are factors no legitimate organization should object to. Given Facebook functions across paid, owned and earned media, this extra degree of transparency would help to legitimize advertisers, as well as to encourage consumer trust. In terms of advertising transparency, Facebook should further this first, political step, and lead by example.

Moreover, Facebook controls a lion’s share of the digital advertising ecosystem. There simply are not a plethora of options available to advertisers who require Facebook’s reach and scale.


  • Maintain advertising investment, but rexamine, Facebook advertising strategy as data standards shift and consumer trust follows suit.
  • Set up a policy for how the agencies your company works with will obtain and use data, because your brand will be liable for that use.
  • Be transparent about how the data you collect about your customers will be used. Brands might consider enabling customers to choose how their data canwill be used and shared. (This can also be effective for building better AI models, as engagement helps optimize systems.) Trust and transparency go hand-in-hand.
  • Until more clarity emerges, exercise caution when using Facebook Messenger for customer service purposes.
  • Deeper guidelines will emerge from professional trade organizations
  • Consider establishing a data usage panel, and include consumers in the process. Continually review what data you have, why, consumer input and options, e.g.  if a consumer opts out, what can you still collect? How can you build trust to re-opt-in?
  • GDPR will have a ripple effect. Whether you conduct business in the EU or not, your competitors may. This raises the bar for everyone and will force other countries to build out similar regulations as a template.

How many breaches can Facebook weather? That remains to be seen, but the company will survive this one. Trust and transparency are the issues, and the individual responsibility of each and every organization.

Image credit: CultureIQ

Leave a Reply

Your email address will not be published.