One thing Facebook’s IPO filing documents make clear is that the company is taking privacy risks seriously. Privacy is mentioned 35 times, mainly as a risk factor.
The company acknowledges that media coverage of privacy lapses, for example, could affect profits.
Unfavorable publicity regarding, for example, our privacy practices, product changes, product quality, litigation or regulatory activity, or the actions of our Platform developers or our users, could adversely affect our reputation. Such negative publicity also could have an adverse effect on the size, engagement, and loyalty of our user base and result in decreased revenue, which could adversely affect our business and financial results.
The public and media scrutiny will only increase, because as a listed company, Facebook will be obliged to reveal any privacy-related investigations into its business.
Facebook’s filing documents also mention, several times, the risks from changes in privacy laws both in the US and Europe.
There is reference to the recent proposals by the European Commission for stricter data protection laws, which would give people the “right to be forgotten”, in other words have their personal data deleted by companies if they wish. If the law is passed, this would be a particularly heavy administrative burden for Facebook, with its collection of 845m people’s personal information. The EU is also proposing fines of up to 2 per cent of revenues when companies fall foul of the rules, which based on 2011 sales levels would come to around $74m.
For example, a revision to the 1995 European Union Data Protection Directive is currently being considered by European legislative bodies that may include more stringent operational requirements for data processors and significant penalties for non-compliance.
These existing and proposed laws and regulations can be costly to comply with and can delay or impede the development of new products, result in negative publicity, increase our operating costs, require significant management time and attention, and subject us to claims or other remedies, including fines or demands that we modify or cease existing business practices.
Facebook settled a case with the Federal Trade Commission only last November and is now under fairly strict supervision by the FTC and the Irish Data Protection Authority. Both require six-monthly, independent privacy audits of the company. Facebook appears to expect other regulators around the world to ask questions as well:
…we expect to continue to be the subject of regulatory investigations and audits in the future by these and other regulators throughout the world.
There is special mention about uncertainties around the laws around the use of people’s pictures:
This may partly refer to the fact that the Hamburg Data Protection Authority is planning to bring legal action against Facebook over the facial recognition feature that allows photo tagging on the social network. The case could result in a E300,000 fine, pocket change for Facebook, but an order to stop using the feature in Germany and the negative publicity around the case could be more hurtful.
However, the Hamburg case is simply around use of facial recognition and is not particularly linked to advertising. This raises the intriguing question over whether there are other investigations arising around facial recognition and advertising.
Facebook’s flagship advertising product, Sponsored Stories, relies on the ability to use names and faces of friends who like certain brands.
It is unsurprising, therefore, that there are also many mentions in the filing about what Facebook is doing to promote privacy, including a number of controls and a ”dedicated team of privacy professionals who are involved in new product and feature development from design through launch”.
The big fear about privacy is that eventually, following too many negative privacy-violation stories, users would begin to leave the social networking site in droves.
A Business Insider survey last year found that of the people who were not using Facebook, 42 per cent cited privacy fears as the reason.
However, even recent protests about changes to privacy settings, and the ill-fated Beacon advertising programme, Facebook’s user numbers have continued to grow exponentially. The company’s user base – around 12 per cent of the world population – so far seem relatively undeterred by the privacy question.