undisclosed risks at Meta
10 February 2022
Lots of attention to one SEC disclosure about regulatory risks for Instagram and Facebook in Europe: Meta warns it may shut Facebook in Europe but EU leaders say life would be 'very good' without it.
So that's a story, but from here in California the really interesting risk disclosures are a few that aren't there. Meta has some risks related to ongoing violations much closer to home.
The company has not been acknowledging CCPA Right to Know (RtK) letters from California residents who do not have Facebook accounts. If Facebook still maintains shadow profiles on people who do not have accounts, then refusing to disclose them to the person described in the profile is a CCPA violation. A person cannot be required to agree to a company's Terms of Service in order to exercise their rights under CCPA. (Or maybe Facebook already bulk-erased the shadow profiles of anyone from California who they don't have signed up as a user?)
The personal information in Facebook's
Download Your Information
downloads is incomplete. The extent of the missing data is gradually coming out in discovery in In re Facebook, Inc., Consumer Privacy User Profile Litigation. We don't know exactly how much extra data they will have to start disclosing, but if they're putting this much effort into fighting discovery in one case, it has to be enough to be worth mentioning as a risk to the SEC.Meta is ignoring or mishandling Authorized Agent RtKs. This is a fairly common issue at surveillance marketing companies. Authorized Agents are still rare, and a lot of companies don't have a process in place to handle them correctly. But a high-profile company like Meta is likely to get a bunch of agent RtKs, and it's reasonable to expect them to disclose the associated risks.
See the CCPA
Regulations
for more details. A Download your Information
portal
is allowed for complying with CCPA Right to Know, but only for
people who already have accounts, and a business maintains a
password-protected account with the consumer,
and only when
the portal fully discloses the personal information that the
consumer is entitled to under the CCPA.
All three of these items are much more likely than the We will
likely be unable to offer a number of our most significant products
and services, including Facebook and Instagram, in Europe
scenario. So they could really use a mention in the next Form 10-K
or other documents.
Bonus links
“A Pure Sideshow”: Now More Than Ever, the Stock Market Doesn’t Matter
An uncertain future for the web in Europe
Andrew Forrest launches criminal action against Facebook over scam ads that used his image
Is Momentum Shifting Toward a Ban on Behavioral Advertising?
On Meta’s ‘regulatory headwinds’ and adtech’s privacy reckoning
