The saying goes: ask for forgiveness, not permission.
But when it comes to Facebook there's a common line of defense in response to persistent concerns over how it handles user data: We did it with permission.
After the New York Times reported Facebook gave tech companies like Amazon, Microsoft, and Netflix special access to user data, including the ability to see private messages, the social media company answered "none of these partnerships or features gave companies access to information without people's permission."
The problem, experts say, is that many users don't realize they are giving permission at all.
"While it is true that some data sharing would have been expected by consumers, much of what was described in the reporting would not reasonably have been expected," said Brian Wieser, senior research analyst covering Facebook at Pivotal Research Group, in a note published Wednesday.
A 2017 Deloitte survey of 2,000 U.S. consumers found 91 percent of respondents willingly accept legal terms and conditions without reading them before installing apps, registering Wi-Fi hotspots, accepting updates and signing into online services such as video streaming. That percentage increased to 97 percent among 18 to 34-year-olds.
Facebook CEO Mark Zuckerberg admitted he knows this in an exchange with Wisconsin Senator Ron Johnson in a Senate hearing in April:
JOHNSON: Do you have any idea how many of your users actually read the terms of service, the privacy policy, the statement of rights and responsibilities? I mean, actually read it?
ZUCKERBERG: Senator, I do not.
JOHNSON: Would you imagine it's a very small percentage?
ZUCKERBERG: Senator, who read the whole thing? I would imagine that probably most people do not read the whole thing. But everyone has the opportunity to and consents to it.
One of the problems for both users and companies like Facebook is defining consent in the first place.
Michael Veale, a researcher in the science, technology, engineering and public policy of University College London, told CNBC Thursday consent in the U.S. is often based on a one-time approval of a company's terms and conditions. But he said the U.S. is moving in the direction of more European-style regulation.
In May, a sweeping set of data privacy rules went into effect in Europe. Called the General Data Protection Regulation (GDPR), it defines consent as a "freely given, specific, informed and unambiguous indication … by a statement or by a clear affirmative action."
Veale said terms and conditions are a "red herring" for EU regulators looking for companies that are trying to collect extra personal data.
"Consent in the GDPR is not a take it or leave it question," he said.
Facebook has already been accused of violating a consent decree it reached in 2011 with the Federal Trade Commission (FTC) over its handling of the Cambridge Analytica data leak, and the latest revelations in the New York Times could put the company in the crosshairs of the FTC again. The FTC agreement requires Facebook users to give permission before the company can share personal data beyond the privacy settings they have already established. Facebook said its partner agreements did not violate the FTC settlement.
