Facebook, Privacy, and the Future of Personalization


Share on LinkedIn

Readers of this blog and the CDP Institute newsletter know that I’ve been fussing for years about privacy-related issues with Facebook, Google, and others. With the issue now attracting much broader public attention, I’ve backed off my own coverage. It’s partly because people can now get the information without my help and partly because there’s so much news that covering it would consume too much precious reader attention. But, ironically, the high level of noise around the topic also means that some of smaller but significant stories get lost.

I’ll get to covering those in a minute. But first a general observation: the entirely coincidental convergence of the Facebook/Cambridge Analytica story and implementation of the European Union’s General Data Protection Regulation (GDPR) seems to have created a real possibility of changes to privacy policies everywhere, and most particularly in the United States. In a nutshell, the Facebook news has made people aware of how broadly their data is shared and GDPR has shown them it doesn’t have to be this way. Until now, few people in the U.S. really seemed to care about privacy and it seemed unlikely that they would overcome the resistance of commercial interests who largely determine what happens in the government. (Does that make me sound horribly cynical? So be it.) It’s still very much uncertain whether any significant change will take in U.S. laws or regulatory agencies. But that there is any significant chance at all is brand new.

So much for that. Just wanted to get it on the record so I can point to it in case something actually happens. Here are some developments on the Facebook / Walled Garden / Privacy fronts that you might have missed.

More Bad News

One result of the heightened interest in these issues that public agencies, academics, and especially the media are now looking for stores on the topic. This in turn means they find things that were probably always there but went unreported. So we have:

– CNN discovers that ads from big brands are still running on YouTube channels of extremist groups.
This has been a known problem forever, so the fact that it gets reported simply means that journalists chose to look for it and decided people would be interested in the results.

– Washington Post finds paid reviews are common on Amazon, despite being officially banned.  Again, this comes under the heading of “things you could always find if you bothered to try”.

– Journalism professor Young Mie Kim found that fully half the groups running political advertising on Facebook during the 2016 election couldn’t be traced.  Kim started her research before the current news cycle and it was probably accepted for publication before then too. But would Wired have picked it up?

– PricewaterhouseCooper’s FTC-mandated privacy review of Facebook in 2017 failed to uncover the Cambridge Analytica breach.  It’s more evidence for the already-obvious fact that current privacy safeguards don’t work. But it never would have seen the light of day if this hadn’t been a hot issue.

Attacks from All Sides

Politicians, government agencies, and business rivals are all trying to gain advantage from the new interest in privacy.

– Immediately after the Zuckerberg hearings in Congress, two Senators introduced a bill to give consumers more rights over their data.  The language was highly reminiscent of GDPR.

– A group of 31 state attorneys general opposed a bill to create a Federal law with standards for reporting about data breaches, fearing that Federal standards would override more stringent state regulations. Of course, this is exactly what the sponsors intend. But now the state AGs are more motivated to resist.

– The Securities and Exchange Commission (SEC) fined Yahoo $35 million for failing to discuss a 2014 data breach involving over 500 million accounts.  Data protection isn’t usually a SEC concern, so it’s equally interesting that they chose to make it an issue (arguing the breach was news that should have been shared with investors, which seems a bit of a stretch) and the Republican-majority Federal Trade Commission is steadfastly unengaged.

– Four major publisher trade groups have attacked Google’s proposed approach to gathering advertising consent, which places the burden on the publishers but requires them to share user data.  This would have been an issue under any circumstances but I suspect that publishers are emboldened to resist by the expanded interest in privacy and greater hostility to the Google, Facebook, et. al.

Scrambling by Facebook

Facebook has been scrambling to redeem itself, although it has so far avoided changes that would seriously (or even slightly) impact its business.

– It has ended a program to target ads using data from external compilers, such as Acxiom.  How this helps privacy isn’t clear but it sounds good and conveniently makes Facebook’s own data even more valuable.

– It announced major API changes that limit the amount of data shared with developers.  Note carefully: they’re not limiting data collected by Facebook, but only how much of that is shared with others. Similar changes applied to Facebook-owned Instagram. Again, the actual effect is to add value to ads sold by Facebook itself.

– It announced just today that it will let members block it from collecting data about their visits to non-Facebook Web sites.  By now you see a pattern: less data from outside of Facebook makes Facebook data more important. This reflects perhaps the most disturbing revelation from the Zuckerberg hearings: that Facebook collects such data even on non-members. But the change doesn’t address that issue, since only members can tell Facebook to stop the data collection. If you find this confusing, that’s probably no accident.

– It promised to add an “unsend” feature to Messenger.  Nice, but it only happened after reports that Facebook executives themselves already had this capability.

– It rolled out a new centralized privacy center that made settings easier to manage but apparently didn’t change what users can control.

– More substantively, it promised to apply GDPR consent rules globally.  Signals were a bit mixed on that one but maybe it will happen. Who wants to start a betting pool?

– It dropped opposition to a proposed consumer privacy law in California.  Good but it would have been a public relations disaster to continue opposing it. And who knows what they’re doing in private?

– On the Google front: Google-owned YouTube has touted its efforts to flag objectionable videos.  That’s not exactly a privacy issue but probably overlaps the public perception of how online tech giants impact society. Remember they’re also motivated by tough laws in Germany and France enacted early this year, which require to remove illegal content within 24 hours.

Business as Usual for Everyone Else

How much of this is unique to Facebook and how much reflects a fundamental change in attitudes towards data privacy? Certainly Google, Amazon, and others are tip-toeing quietly in background hoping not to be noticed. Per the above, YouTube has occasionally wandered into the spotlight, especially when extremist videos on YouTube intersect with extremist content on Facebook. Over-all, I’d say it’s very much business as usual for most firms that gather, sell, and employ consumer data.

– Amazon continues to offer amazingly intrusive concepts with little evidence of pushback. For example, they’re expanding their Amazon Key in-home delivery program to also leave packages in your car.  And they continue to expand the capabilities of Alexa ‘smart speaker’ (a.k.a. ‘always listening’) systems, most recently by making it easier for people to build their own custom capabilities into the system.

– Similarly, Waze has been merrily promoting its ability to share data about traffic conditions, setting up any number of integrations such as deals with Carto and Waycare to help traffic planning and, in Waycare’s case, warn drivers about current road conditions. Waze’s data is truly anonymized, at least so far as we know. But they certainly don’t seem to be worried a general privacy backlash.

– Another announcement that raised at least my own eyebrows was this one from Equifax, which headlined the blending of consumer and commercial data to predict small business credit risks. Anything that suggests personal data is being used for business purposes could worry people – but apparently it that doesn’t worry Equifax marketers.

What Do Consumers Think?

The big question in all this is whether consumers (should we just call them “people”?) remain concerned about privacy or quickly fall back into their old, carefree data sharing ways. It’s probably worth noting that Facebook was already uniquely distrusted compared with Google and Amazon, both by consumers and small business.

We do know that most have been following the Cambridge Analytica story in particular. But, to their credit, they also recognize that what they post on Facebook is public even if they don’t necessarily understand just how much tracking really takes place.

Sure enough, it seems that few Facebook users actually plan to close their account and, more broadly, there’s little support for government regulation of social media.

Indeed, most consumers are generally comfortable with sharing personal information so long as they know how it will be used. 

Surveys do show that EU consumers say they’ll exercise their privacy rights under GDPR, but it’s reasonable to wonder how many will follow through. After all, they’re notably lax on other cybersecurity issues such as changing default passwords on home networks.

But this doesn’t mean that Facebook and similar firms are home free. Consumers are smart enough to distrust recommendations from smart speakers, as indeed they should be.
They’re also not terribly enthusiastic about ads on smart speakers or, indeed, about personalization in general.
On the other hand, of course, many studies do show that consumers expect personalized experience, although there’s some reason to suspect marketers overestimate its importance compared with other aspects of the customer experience.

This matters because personalized experiences are the main public justification that marketers give for gathering personal data – so consumers who increase the value they place on privacy could quickly reach a tipping point where privacy outweighs the benefits of personalization. That could radically shift how much data marketers collect and what they can do with it. Given the dire consequences that would have for today’s marketing ecosystem, everyone involved must do as much as possible to make sharing data genuinely safe and worthwhile.

Republished with author's permission from original post.


  1. Hi David, a lot of interesting observations. I do believe that what we see right now in the wake of Cambridge Analytica is a ‘fake storm’. People are and will continue to value convenience over privacy to quite an extent. I also think that even seemingly strict regulations like GDPR have quite some loopholes (legitimate interest, for example).

    There is no price tag on the data that we give away every day, means it is free for whoever grabs it. Turning this around the only way of making sure that personal data is taken really serious (personal) by their owners – the people – is by ensuring that people can make a profit out of their data. Right now they can’t.

    Based on that assumption: What do you think of the possibility of success for business models that make advertisers or data collecting agencies pay for people’s data? Will there just too much pushback by the incumbents?

    Just thinking …

  2. Hi David: Interesting that in your last paragraph, you mentioned that ‘personalized experiences’ is the rationale that companies so often give to consumers for harvesting and storing their data. Too few people understand this, and even fewer have the courage to say it. I think it’s important for the public to hear this message loudly and often, because any effort to curtail the overwhelming information power that companies enjoy over consumers must come from the public. I expect very little from politicians because 1) if you watched Zuckerburg’s testimony on Capitol Hill, politicians don’t understand the technology or the issues, and 2) the leadership is feckless.

    As an interim measure, I recommend 1) people wean themselves from social media platforms like Facebook, 2) they demand transparency from companies about how their data is harvested, used, stored, and shared. No transparency means no transaction. The most effective way for consumers to convey a message to vendors is through withholding dollars. While these measures might sound draconian, over time vendors able to demonstrate that they are both ethical and trustworthy data stewards would grow, and those that can’t would wither.

    On a separate, but related note: I don’t believe a technical consensus exists for the term data breach. I have read that in the past, companies have circumvented state reporting requirements simply by categorizing events using other terms. This presents a challenge for any regulatory initiatives regarding consumer privacy.

    An article I recently wrote on the topic: A Future Without Secrets? Why We Need Ethical Data Governance http://customerthink.com/a-future-without-secrets-why-we-need-ethical-data-governance/. I’m interested in your thoughts.

  3. i didn’t add the quote but there is some data in a Forrester report that corrobotes the statement about ‘personalized experiences’. The report was about retailers vs. their customers. Retailers stated that being able to send out personalized marketing messages is what they think is what customers value most, followed by communications via customers’ preferred channels with promotional offers being automatically applied based on past purchases and personal preferences.

    Customers see it the other way round. This, of course, implies that retailers either don’t have much of a clue about their customers – or just don’t care …

    This preference might also cause a challenge on the ‘withholding dollars’ frontier but if retailers prioritize according to what their customers value then there at least is some tangible value going back to the customers. On the other hand this is another price war.


  4. Hey David,
    It was very well written and thinkable post. I know facebook is now become worst because lack of privacy and some other issues and yeah definitely most of people leaving facebook due to these issues .
    I am also researching on privacy issues your article will definitely work for me .
    Thank you David for explaining with meaningful thoughts .

  5. Thanks for your comments, Andrew and Thomas. Am just seeing them.

    Thomas – I am very skeptical of businesses based on the idea of consumers being paid directly for access to their data, even though I see many being set up with that model (usually involving a cryptocurrency). It just seems unlikely that most consumers would find it worth the trouble and I suspect that in reality, only a few high-spending consumers would attract much revenue.

    There’s conflicting evidence about how much value consumers place on personalization. One point to bear in mind is that attitudes vary: some people seem to want it very much while others find it creepy. Marketers need to adjust their treatments at the individual level accordingly. There are also some situations where personalization is clearly important and expected (e.g., within an on-going customer relationship, for example with your bank).

    Andrew, interesting point about the definition of data breach. That hadn’t occurred to me. A clear definition will have to evolve if there are legal requirements for reporting. I share your skepticism about politicians’ ability to protect consumers but do wonder whether it’s realistic to expect the general public to act cohesively on their own. One insight I’ll offer is that while most people don’t really care that much about privacy, they are very frightened about identity theft. So pro-privacy efforts that are positioned as identity theft protection might be effective.

  6. thanks, David, I am very sceptical, too; hence my oddly formulated question. It must be seamless for the consumer (which is hardly possible) and will also get strong pushback by the organizations that benefit from free access to valuables.


Please use comments to add value to the discussion. Maximum one link to an educational blog post or article. We will NOT PUBLISH brief comments like "good post," comments that mainly promote links, or comments with links to companies, products, or services.

Please enter your comment!
Please enter your name here