Blog, Insights & Analyses

Move Fast and Break…Privacy Promises?

“I accept the terms and conditions.” We’re all too familiar with this little checkbox, to which most of us pay little mind. As consumers and users, we’ve been trained to trust the companies we interact with daily. While we’re all wary of hackers and bad actors compromising our data, what happens when that trust is broken from within, and companies themselves begin breaking their own promises? In recent weeks, companies have made headlines for failing to deliver on their privacy commitments, including mishandling location data, sharing user information, or failing to shield minors. 

Whether these incidents simply represent more examples of companies trying to ‘move fast and break things,’ many of these violations could be prevented or mitigated with better trust and safety practices. To look more closely at why so many privacy violations persist when the stakes are now well known, our team of analysts rounded up a few recent incidents, to identify and unpack any patterns.

Care(less)19 

As the COVID-19 pandemic has spread, many companies and governments have raced to launch contact tracing apps to flatten the curve and stop the spread. North and South Dakota’s Care19 was one of the first to launch, accepting users on April 7th. Less than two months later, the app has been caught violating its own privacy policy by sharing citizen location data and other personal data with an outside company, Foursquare.

While it’s the responsibility of the company to comply with the terms they have set for their product, this incident shows that both state officials and Apple dropped the ball when vetting the app. The app developer, ProudCrowd, confirmed that while it does share data with Foursquare—which leverages location data for marketers—it explained that the data is not used for commercial purposes. Since coming to light, ProudCrowd has promised to change its privacy policy and work to share less data in the future.

Our Take: We can all agree this is a privacy faux pas. Moreover, this case study shows that data misuse isn’t only an issue for Big Tech or social media platforms; smaller platforms and services can make missteps as well, and we should look with scrutiny at every product with which we share data. Aside from the explicit data misuse, the Care19 incident highlights potential impacts of the COVID-19 pandemic. The pandemic has brought the need for new solutions (e.g., telehealth, contact tracing) rapidly to the forefront, on top of the rapid rise in demand for remote or digital services. Due to the speed at which products are going to market and the increased use that platforms may not have prepared for, the pressure to move quickly can cause more missteps that cause  privacy and security breaches .  

TikTok Trips Up 

Before there was TikTok, there was Musical.ly, a predecessor to the popular video-sharing app. ICYMI, Musical.ly, had violated the federal children’s online privacy law by collecting names, email addresses, videos, and other personal data from users under the age of 13 without a parent’s consent. After merging with Musical.ly, TikTok agreed to make significant changes to their app to settle the predecessor’s charges (as well as pay a $5.7 million fine).

We’re now seeing history repeat itself, as TikTok, has directly violated the agreement it made with the Federal Trade Commission (FTC) to protect the privacy of users under the age of 13. Until recently, the app still had videos of users under 13 on their app from 2016 and did not put proper age verification standards into place, among other violations. It’s unclear how this happened; at best, this incident can be explained by mismanagement of the situation or lack of follow-through. At worst, this was a deliberate violation of the FTC agreement to keep one of their most active user bases and content to support business growth.

While there are no reported investigations or lawsuits against the social media company following this fresh allegation, the incident appears to be a clear violation of their agreement and raises the issue of what TikTok has done to follow through on its commitment. Members of US Congress have expressed concerns around TikTok and the possibility of it sharing data with its parent company, ByteDance, a Chinese conglomerate.

Our Take: This incident underscores the need for companies to prioritize data protection practices, through measures like implementing a Data Protection Officer as required by GDPR, for example. Without sound practices and a defined privacy and security plan, things can get lost or slip through the cracks—whether purposefully or not—like addressing privacy issues from an acquired subsidiary.

In this particular case study, the oversight that brought the incident to light was not from a government agency, but from a coalition of private advocacy groups focused on children’s privacy and protection. Now we find ourselves wondering, would this issue have gone unnoticed without such groups? What should oversight look like for social media platforms as they continue to dominate online interactions?

Surprise, Surprise…Facebook

Canada is fining Facebook $6.5 million for false privacy claims and mishandling user information from 2012-2018. According to the country’s Competition Bureau, Facebook gave the impression that users had full control over who could access their personal data when using privacy features on the social media platform. Instead, the platform improperly shared data with third-party companies and developers.

In previous investigations, Facebook said it had stopped this kind of data sharing in 2015, but in actuality, it continued into 2018 in some cases. Facebook noted, “Although we do not agree with the Commissioner’s conclusions, we are resolving this matter by entering into a consent agreement and not contesting the conclusions for the purposes of this agreement.”

Our Take: This follows a long string of privacy incidents and other data-related controversies for Facebook. Continued occurrences like these raise more of an eyebrow for a company of Facebook’s size, stature, and history, compared to smaller or younger platforms like TikTok or apps like Care19, where inexperience or lack of resources might understandably explain missteps . It perpetuates the mistrust of Big Tech and erodes confidence in the ability of regulators and privacy law to spark change.

Although disputed according to Facebook’s settlement statement, where there’s smoke, there’s often fire—similar to the TikTok incident. This particular situation can be interpreted generously as an accidental misstep, questionable for a company of Facebook’s stature, or more skeptically as a deliberate violation. 

Our Conclusions

These incidents all represent failures to uphold commitments each platform itself has made, not just questionable actions or accidental brushes against regulation. The lack of clarity of where precisely these companies dropped the ball in fulfilling their privacy commitments now begs the question of transparency and accountability, not just when caught in incidents like these, but always.

As these case studies show, each incident has both a benign and a harmful potential interpretation. To get to the bottom of each would require fuller investigation or litigation, but none of the parties involved have yet resorted to such measures for these incidents. Looking at the above examples, Facebook settled, and TikTok and Care19 have only just been reported. 

Whether you chalk it up to negligence as a result of the mentality to “move fast and break things”—to obtain users, quickly launch products, or otherwise—these incidents represent a troubling, continued pattern of privacy violations. It’s no surprise that consumer patience is wearing thin; in 2019, a study found that nearly 80% of Americans are concerned about how companies use their data.

What’s next? Well, the trusty and safety implications for companies are clear. Privacy commitments exist for a reason, and the world is watching to ensure companies conform with their own terms and agreements. As we all rapidly become more digital, tech companies must implement effective data protection and privacy practices if we are to see fewer of these slip-ups.