blog: Don Marti


undisclosed risks at Meta

10 February 2022

Lots of attention to one SEC disclosure about regulatory risks for Instagram and Facebook in Europe: Meta warns it may shut Facebook in Europe but EU leaders say life would be 'very good' without it.

So that's a story, but from here in California the really interesting risk disclosures are a few that aren't there. Meta has some risks related to ongoing violations much closer to home.

  1. The company has not been acknowledging CCPA Right to Know (RtK) letters from California residents who do not have Facebook accounts. If Facebook still maintains shadow profiles on people who do not have accounts, then refusing to disclose them to the person described in the profile is a CCPA violation. A person cannot be required to agree to a company's Terms of Service in order to exercise their rights under CCPA. (Or maybe Facebook already bulk-erased the shadow profiles of anyone from California who they don't have signed up as a user?)

  2. The personal information in Facebook's Download Your Information downloads is incomplete. The extent of the missing data is gradually coming out in discovery in In re Facebook, Inc., Consumer Privacy User Profile Litigation. We don't know exactly how much extra data they will have to start disclosing, but if they're putting this much effort into fighting discovery in one case, it has to be enough to be worth mentioning as a risk to the SEC.

  3. Meta is ignoring or mishandling Authorized Agent RtKs. This is a fairly common issue at surveillance marketing companies. Authorized Agents are still rare, and a lot of companies don't have a process in place to handle them correctly. But a high-profile company like Meta is likely to get a bunch of agent RtKs, and it's reasonable to expect them to disclose the associated risks.

See the CCPA Regulations for more details. A Download your Information portal is allowed for complying with CCPA Right to Know, but only for people who already have accounts, and a business maintains a password-protected account with the consumer, and only when the portal fully discloses the personal information that the consumer is entitled to under the CCPA.

All three of these items are much more likely than the We will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe scenario. So they could really use a mention in the next Form 10-K or other documents.

“A Pure Sideshow”: Now More Than Ever, the Stock Market Doesn’t Matter

An uncertain future for the web in Europe

Andrew Forrest launches criminal action against Facebook over scam ads that used his image

Is Momentum Shifting Toward a Ban on Behavioral Advertising?

On Meta’s ‘regulatory headwinds’ and adtech’s privacy reckoning

FTC Calls Out Targeted Ads for Social Media Scams

Holding Facebook Accountable for Digital Redlining