Those in the know could be forgiven for thinking that the promised actions, listed below, are pretty much in line with what the tech giant would be expected to undertake to become GDPR compliant by the May 25th deadline. To the outside observer, it looks like Facebook has held up its hands and its apology to win advertisers over is that it will now become compliant with data privacy rules it would have been bound to in two months' time anyway.
Last Friday Facebook had a crunch meeting with ISBA, the group that represents advertisers who have 3,000 between them. It was a big deal and the world's media was waiting to hear the outcome. If ISBA's summary was that its members couldn't trust Facebook to protect the public's data, then we could well have seen many decide to pull their spend.
As it was, the note from the Association couldn't have been more convivial. To paraphrase, ISBA said Facebook was taking the matter very seriously and was open to consult with ISBA members as it rectified mistakes.
There were a series of promises made to ensure that apps were not allowed to gather too much information about their users. The main points are:
A review for bad apps: Any apps found to have misused personal data will be banned from the platform.
User updates: If an app has been banned, its users will be warned.
Turn off old apps: Those apps you can't remember accessing will be disabled if they're no longer in use.
Encourage reviews: People will be told how to check whose apps they use and check what data they are holding on them.
Restrict log-in data: When you sign in with Facebook, a brand will soon only be able to access your name, profile photo and email address. Any other data will need a user's permission to collect.
Bug bounty: Users will be encouraged to report data malpractice to Facebook whenever they spot it.
It all sounds like common sense. The fact that this is not already happening should already be ringing alarm bells. Clearly Facebook is expecting apps and its log-in service to be backed by consent, which has had the bar raised by GDPR to be fully informed, freely given and granular. There is nothing in its proposed actions that doesn't bring it into line with the current Data Protection Act (only keeping data as long as it's needed) and GDPR (a higher level of consent).
The litmus test for me will be if there are still old apps on my account after the May 25th deadline that still have a tick to show they have assumed the right to monitor my political and religious views. You really can't get more of an open breach of GDPR's consent rules than that.
As for this whole debacle, I'm just not convinced. ISBA has assured its members that Facebook is taking data privacy seriously. I would suggest all the platform has done is a promise to do what is should have already been doing and what it will receive a huge fine for avoiding from May 25th onward.
As such, I think Facebook pulled off a masterstroke in crisis management on Friday. Advertisers were looking for an excuse not to have to ditch the platform -- and they were given the flimsiest of reasons not to do so.