Privacy is a Blue Chip Investment for Businesses

I recently read an article in the wake of the precipitous drop in Facebook stock, titled: “Facebook ‘puts privacy first’ and stocks plunge 20%”. The title alone was enraging. To suggest that prioritizing privacy can cause Facebook to suffer a devaluation is preposterous and a serious disservice to companies everywhere. But, before the air gets thin atop this soapbox, let’s discuss why this is such a ridiculous statement.

Privacy is not a foreign or new concept. In fact, it has been here in the United States for a long time. More “recently” privacy became important when dealing with healthcare and financial data. For healthcare, we have the Health Insurance Portability and Accountability Act (HIPAA), which was passed in 1996 and the HITECH Act in 2009. In the financial industry, we have the Financial Industry Regulatory Authority (FINRA) and the Gramm-Leach-Bliley Act (GLBA). And yet, there is absolutely no regulation (state or federal) that is currently in effect that addresses one of our most prevalent personal data information sharing platforms- social media.

On Facebook, Instagram, Snapchat, and the like, we provide some of the most private details about ourselves. Subconsciously we believe that only our “friends” see or even care about what we are posting, but the reality of it is that we cannot actually see whom we are sharing this information and, therefore, we are inadvertently oversharing. We post information, photos, location details, statements and political opinions, some of which we would likely never share or say to people if they were standing in front of us. This anonymity in the way we communicate has fundamentally changed our culture forever.

Within this social media driven culture, the laws within the US have not kept pace with the new “normal” in the realm of privacy. However, that is not the case outside of the US: Europe, Asia, Canada, South America — countries in all of these regions are more intune with the concept of data privacy and pushing out regulations to attempt to address this growing invasion into the individual’s daily life.

Take for example, Europe: the EU’s Charter of Fundamental Rights includes the right to privacy and the right to data protection which has been given new life by the European Union’s General Data Protection Regulation (GDPR). The GDPR is a legal framework that sets guidelines for the collection and processing of personal information. See our recent blog posts for a deep dive into the many nuances of the GDPR. On this side of the Atlantic, California is taking a crack at privacy regulations with the Consumer Protection Act of 2018 (CCPA) (which we break down for readers here).

But this blog is not inspired by the GDPR (as interesting as it may be) or the CCPA (as much as California’s attempt to ensure consumer privacy gives a sense of domestic optimism). It was inspired by the aforementioned article entitled “Facebook ‘puts privacy first’ and stock plunges 20%.”

A few short months ago we learned that Cambridge Analytica allegedly collected data from Facebook users via a personality app. In short, this allowed the collection of data about users and their friends, including likes, activities, check-ins, location, photos, religion, politics, and relationship details. The information was then passed to Cambridge Analytica. And then … BOOM, a huge scandal.

In the wake of the Cambridge Analytica revelation, Facebook has vowed to take proactive steps to enhance privacy and security on its social network. But, what does hat mean? In short, a capital investment to improve privacy and security. It does not take a rocket scientist, or a Harvard-educated economist, to know that when you are investing in a business, such investment may effect or even stagnate profits.

So back to the article that inspired this post. The article quotes Wedbush analyst Michael Pachter, who characterized the sales slump Facebook was experiencing as a “self-inflicted wound,” saying that “[t]he fallout is coming from within the company in an effort to limit fake news, offensive information and security/privacy breaches.” “Putting privacy first” did not cause Facebook stocks to drop. Not putting privacy and security and privacy first caused Facebook’s stocks to drop. If Facebook, and for that matter companies in general, put value (and stock-pun intended) in security and privacy, the Cambridge Analytica scandal may never have happened, or may have been significantly mitigated. Not putting privacy and security first allowed private information about Facebook users to be exploited. As the realization is sinking in, and less and less people are signing up for a Facebook account, or even deleting their existing account because of distrust and disgust in what happened-, it is not a surprise that Facebook’s profitability has gone down.

But this does not have to be the last chapter and verse. Facebook can and will recover, but what should the rest of us do and learn from this tale? First, any company that collects, stores, tracks, uses, shares, and [insert activity here] personal data should make privacy and security a priority. Not just a box to check but a bluechip priority in the very culture of its organization. Avoiding, or at the worst limiting, issues like the Cambridge Analytica scandal should be of the utmost importance to every organization. It should not just be a regulatory obligation that causes an organization to invest in privacy and security, but a general emphasis on creating a culture and organization of security and privacy.

Privacy will become a selling point as people become increasingly aware of the issues associated with giving away their private information (not just the SSN or healthcare information) and other data that is tracked by companies like Facebook. So, tech start-ups, app developers, software engineers consider this: can you afford not to put a premium on privacy and security when it is clearly a good investment?


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.