` Vendor Risk Management at Facebook Back in Headlines - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

Vendor Risk Management at Facebook Back in Headlines

Data sharing with third-party vendors have been in the spotlight for much of this year in the wake of the Cambridge Analytica scandal at Facebook. It is becoming clear that regulators have high expectations for businesses that are sharing data with third-parties in light of what happened to Facebook. Organizations need to be aware of this focus and place increased prioritization on their Vendor Risk Management in light of these events.

The scrutiny of regulators and the media on vendor management is demonstrated by today’s article in the New York Times on how Facebook failed to police how its partners handled user data. Facebook is examined for the content of an FTC-mandated assessment conducted by PwC in 2013 as part of its compliance with the Federal Trade Commission consent decree. Although a redacted version of the report was released in June, the now released version containing previously redacted information discussing how the auditors of Facebook noted its inadequate oversight of vendors.

usingcellphone

The information was released as a result of Senator Wyden’s examination of Facebook following the disclosures earlier this year that Facebook continued to provide access to personal data through its API even though it said that it had cut off the data years ago as part of its response to the Cambridge Analytica scandal. This continued data sharing was part of the integration partnership that has been referred to as the Facebook Experience applications.

The data privacy practices of this information sharing was included in the FTC audits. PwC’s initial privacy assessment tested Facebook’s partnerships with Microsoft and Research in Motion, two of the seven application developers taking part in the program at the time. The Microsoft integration allowed Facebook on Windows, and the RIM integration allowed Facebook on the Blackberry.

The report found “limited evidence” that Facebook had monitored partner compliance with its data use practices. The report continues: “Lack of comprehensive monitoring makes it more difficult to detect inappropriately implemented privacy settings within these third-party developed applications.” However, this was only one of the six controls in the assessment and PWC noted overall that Facebook had privacy controls of sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information in all material respects during the first 180 days following the FTC consent order in August 2012.

In assessments subsequent to the initial assessment, Facebook was graded on less stringent criteria with respect to data partners. The auditors of these reports tested merely whether partners had agreed to its data use policies. A spokesman for PwC told the New York Times that Facebook defined the controls used during the assessments to test their privacy practices.

What should businesses note from this article? Organizations that are providing information to third-parties (whether through an API or another mechanism) should consider examining the data privacy practices of the third-party to ensure that the vendor is acting consistent with the agreement and privacy practices that the parties have established.

Other Blog Posts on Facebook:

Three Steps to Prepare for a Record Privacy Fine Against Facebook
Vendor Risk Management Lessons Coming From Facebook
Facebook, FTC Hearings Top Privacy News Yesterday
Facebook Updates on App Privacy Investigation, Bans myPersonality
Warning from Facebook Stock Drop: Take Privacy Seriously!
SEC Investigates Facebook for Non-Disclosure of Cambridge Analytica Risks
UK Privacy Office to Issue Maximum Fine for Facebook Over Cambridge Analytica
Senate Consumer Protection Subcommittee Further Explores Facebook Data Privacy
Facebook Answers Senate Questions on Privacy
Privacy Bills in Congress Get Boost From Facebook’s Latest Data Scandal
Germany Demands More From Facebook on GDPR
Overview of the Facebook-Cambridge Analytica Data Privacy Scandal

Contact Clarip for Help with Your Privacy Program

The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.

If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.

Contact

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

888-252-5653

About

Consumers

Businesses

The pixel
Show Buttons
Hide Buttons