The Senate Commerce Subcommittee on Consumer Protection recently held a follow-up hearing on the contentious data collection and sharing by Facebook and Cambridge Analytica of 80 million Facebook users’ data without their knowledge. A full committee hearing in April saw Facebook founder Mark Zuckerberg awkwardly and obliquely answer Senators’ questions, generally saying that Facebook did nothing wrong. On June 19, it was Cambridge Analytica’s turn to take the heat, with Aleksandr Kogan, the man responsible for developing the application that collected the user data, awkwardly answering questions while mostly shifting  blame onto Facebook. Other witnesses included John Battelle, the CEO of NewCo, and Ashkan Soltani, former chief technologist of the Federal Trade Commission (FTC). Each offered insight into how data sales work and the current situation between Facebook and Cambridge Analytica.

Sen. Jim Moran (R-KS) and Richard Blumenthal (D-CT), subcommittee chairman and ranking member, respectively, handled most of the questioning. Even as so many companies are grappling with GDPR compliance, some at the hearing clearly sought to bring the U.S. something akin to the GDPR’s privacy regulation.  Blumenthal, the most aggressive interrogator at the hearing, made clear his legislative intentions, promising to introduce “ a bill that will, in effect, provide a privacy bill of rights based, in part, on the standards that Europe has already adopted,” since he felt that “Americans deserve no less privacy then” those Europeans. The Senator also urged “alerting the American public to what those threats and challenges are to their privacy, as well as the potential threats to our national security from Russian interference in our election, and other uses of the Internet that may be known to companies like Facebook, but not to the broad range of Americans.” Blumenthal heaped disdain on the current U.S. privacy regime, especially in regards to Facebook: “There's no question that Facebook's model is immensely powerful and unchecked right now. And so, the challenge for us is to provide some oversight and protection.”

John Battelle, CEO of NewCo and former head of data sales at Facebook, disagreed with Blumenthal about the effect a law similar to GDPR would have on the U.S. market, stating that, “The EU's adoption of GDPR, drafted to limit the power of companies like Facebook, may only strengthen that company's grip on its market, while severely limiting entrepreneurial innovation.” Compliance with laws like GDPR is extremely costly.  estimated to average around $1 million. Small and new businesses cannot afford to comply, but companies like Facebook, who are worth billions, can comply relatively easily.

All the witnesses took the opportunity to throw Facebook under the bus. Kogan, the application designer from Cambridge Analyitica, accepted little to no blame for the events that transpired. When discussing how the application was set up and fielded, Kogan made sure everyone knew that Facebook had no part in ensuring his company followed proper privacy standards “The first time that I could really recall having any interaction with a human being on the Facebook side was in December 2015, when that first Guardian article reported about the project. So, that was a year and a half later.” In a line of questioning from Senator Blumenthal, Kogan discussed the app’s terms of service and whether Facebook knew about them:

BLUMENTHAL: In fact, in our last hearing with Mr. Zuckerberg, I held up the terms of service that, I believe, were provided to Cambridge Analytica, by you or by you to Cambridge Analytica. Do you recall that moment?

KOGAN: Yes, sir. Cambridge Analytica provided those terms of service to me to put in the app.

BLUMENTHAL: Do you know the origins of those terms of service?

KOGAN: Chris Wiley wrote them. My understanding was that this would be a way for us to make a fully commercial app. Because prior to that, it was an academic app.

BLUMENTHAL: And those terms of service provided for the sale or sharing of information. Did they not?

KOGAN: Yes, they did.

BLUMENTHAL: And they were known to Facebook. Were they not?

KOGAN: Yes, they were.

BLUMENTHAL: Despite Mark Zuckerberg disclaiming any knowledge of them.

The major takeaway from the almost two-hour hearing was nothing new: consumer data privacy is important, policymakers are concerned. Soltani summed it up best: "Senators, all of this has happened before and all of it will happen again. I cannot stress enough, Cambridge Analytica's access and sale of personal information from Facebook is not new. It's a foreseeable result of a business model that essentially pays developers with access to consumer information.”

For the market research and data analytics industry, the hearing indicates a heightened level of government awareness about data collection and sharing. Businesses should be taking extra precautions to ensure the privacy and security of their data subjects. That could look like more transparency (as prescribed in the GDPR), more granular consent, or heightened oversight of how the data is collected and sold.

We also expect more laws at the state and federal level, such as the California Consumer Privacy Act. Of course, we have already seen the GDPR, and it seems that Senator Blumenthal is working on a bill intended to be just as far-reaching and challenging.