Q&A: Facebook’s Carolyn Everson on Privacy Changes and Protecting Consumers’ Data

Social network's vp of global marketing solutions discusses what's next

Everson spoke with Adweek Thursday afternoon. Getty Images
Headshot of Marty Swant

Following Facebook CEO Mark Zuckerberg’s announcement on Wednesday that Facebook plans to audit thousands of apps that might have had excessive access to user data on the platform until 2014, the company is trying to explain to advertisers and users how Cambridge Analytica might have inappropriately gained and used Facebook data.

In an interview with Adweek Thursday, Carolyn Everson, Facebook’s vp of global marketing solutions, stuck to talking points about what the company is doing next to improve transparency on the platform and to regain user and advertiser trust.

“I think the most important point is that we are taking unconditional responsibility for what has happened,” Everson said. “And I think we’re putting in very, very strong changes to our platform policy and to ensure, at the end of the day, the most important thing that we need to do is protect consumer data and to ensure and restore consumer trust in that we are really protecting their privacy.”

This interview has been edited for clarity and brevity.

Adweek: It almost seems, in a lot of ways, similar to the responses that the company gave back in 2011 when there was an FTC settlement with Facebook over privacy concerns. I’m curious—why should users believe that Facebook is going to change things this time?
Carolyn Everson: This was a policy change that we had made three years ago. And this is an abuse of a policy that was in place at the time because Cambridge Analytica certified that they got rid of the data, and if in fact they have not gotten rid of the data, it is, of course, a violation of the agreement they signed. It is a terrible violation of the trust that we have with users, and it is a complete misuse of people’s information. And so this is, again, the bad actor doing something with data that they shouldn’t have done.

But at the end of the day, it doesn’t change the narrative, and the narrative from our perspective is this is on us. We have to take full responsibility, and we intend to go forward and restore consumer trust. Period. End of story. That’s the most important thing that we have is people’s trust. And that is what we’re focused on.

Why not also audit from 2014 to now? I know there have been policy changes since then. Obviously a lot has happened with Facebook and with the world in the last three years. Are there not things that maybe you haven’t realized yet?
So the initial audit is going to focus on the apps that had access to that data, and any app that we may have felt had suspicious activity. But that is not the only thing that we are going to be auditing. We will be reviewing a lot of things internally, and we will continue to review everything we are doing to ensure that we are as buttoned up and leading the industry. I think the higher order thing that we’re trying to get to is not did we audit this app or that app, because we’re going to do a very thorough audit and an internal review. I think the higher order is how do we come out of this and lead the industry on how consumer data is handled in a digital environment.

And I have a lot of confidence in our ability to come out and lead here because we’ve done it before. Look at what happened with Russia. We could have simply waited and continued to wait because they still haven’t put regulation into effect, but we could be waiting for Congress to say that ads need to be more transparent on digital. And we did not wait for that. We actually not only made political ads transparent, but we made all ads transparent. That’s in beta in Canada, but it’s rolling out soon here in the U.S. That is going to put every single ad in the hands of any consumer, any third-party group, any watchdog group, and that is fully transparent.

That’s a leadership position that we worked on, and we frankly led the industry on that and I think we’re going to come out of this with very specific actions that we take that really puts consumer privacy at the center of what we do. And I’m really confident we can lead the industry here.

With that in mind, there seems to be this awakening. People are realizing that Facebook gets a lot of data about everyone. And so what else are you doing? Why hasn’t Facebook done more to educate users on how their data is collected? It seems like Facebook has been placing blame on users for not knowing their information is collected.
It’s on us. It’s always on us. And we have to do a better job of educating consumers and giving consumers tools to understand how their data is being utilized.

I think there’s two good examples. One is on the advertising side. You can click on any ad on that right-hand corner on Facebook and see why you’re receiving that ad. You can tell us you don’t want to receive that ad anymore, why that ad is not relevant. You can see why we may have targeted you for that particular ad, and that really puts it into consumers’ hands, the control and transparency of the ads that they are seeing.

I think that transparency on all ads—starting with the political, but now going to all ads—that’s the second area. I think the third is privacy checkup. It’s going to be very important.

I think the work that we’re doing with GDPR [General Data Protection Regulation] to prepare ourselves for that rollout is also going to be incredibly well received because we’re going to be GDPR-compliant, and we work closely with the regulators on that. We’re going to have a very different user flow for people based in Europe to comply with GDPR, and that will give them more control.

And so I think it is always on us. It’s never on the user, and we will continue to educate them, provide better tools and ensure that consumers understand how that is being utilized.

I’m glad you brought up GDPR. How are you having to change in order to comply with the May 25 deadline?
So we’re working through that as we speak. The good news is that we had been working closely with the European regulators on the development of GDPR. We’ve been at the table so it’s not like we’re receiving it late and trying to sort through it. We’ve been working hand in hand with them, and we’re working through the changes that we’re going to be rolling that out … over the coming months to be ready for May, and we will be fully ready and fully compliant.

It seems at least on the privacy side of things a lot of that stuff starts in Europe. Why not just roll it out for the U.S. as well if it’s that important?
I think we’re going to look at all options around how to ensure that consumers feel they have the right level of control and transparency about their data. The updates that we’ll have on GDPR will be coming to you in the next few weeks, and you’ll see how we’re initially rolling that out.

In one of the interviews this week, Mark mentioned that he agrees it feels that Facebook should be open to regulation here in the U.S. What would that look like to you? How should Facebook be regulated at this point?
We’re open to regulation, and I believe what he said is we’re open to the right regulation and that we are not just waiting for regulation. And I think the very best example is what we have done with ads transparency. Because there was all this discussion back in the fall, as I was working with a lot of our peer companies in the industry. There was all this discussion about the regulation around transparency of ads, and we just moved forward without the regulation.

And I would argue we probably moved forward in a stricter way than than the regulation even [being] contemplated, as a regulation was only contemplating political advertising, and we decided to make all advertising transparent. So it’s more about the right regulation but not waiting for regulation, about really recognizing our responsibility and taking the necessary steps to do the right thing.

Back to the audits—you mentioned that you’ll be letting anyone know if their information had been compromised. Are you going to make the result of the audit public or just to the people that maybe had something misused?
At this point, we will only be notifying the people that may have had their data misused. That’s the commitment that we’ve made, and we think right now, the most important thing is that if somebody had data misused that they be notified.

Another question about Cambridge Analytica: I know that in 2015, they just found out about this, you’re notified by the Guardian. Why keep taking advertising money from them for two and half or three years now?
Cambridge Analytica had certified that they got rid of the data. They also moved to serve other types of advertisers, and they were not just doing political advertising at that time. We didn’t have people servicing them. So my team wasn’t meeting with them on a day-to-day basis.

They were using the platform in a self-serve way, and they were allowed to do that. … And they’re obviously kicked off now.

How many ad campaigns did Cambridge Analytica run on Facebook?
I am not able to say at this point. We’re in the midst of reviewing who may have worked with Cambridge Analytica over the last few years.

What are advertisers saying to you guys right now? Have any threatened to pull money away from Facebook until this is all sorted out?
Generally, the advertising response has been incredibly positive and supportive more than I would say positive news. Excuse me, I would say a supportive. I think the positive piece is they’ve been happy that we’ve reached out and we stayed in very close communication. The supportive is really around believing that we are going to take the necessary steps, very pleased with Mark’s statements and the actions that we’re taking. And I do believe we have demonstrated our ability to take challenges and come out on the other end in a real leadership position. We make substantive changes to our policy or how we do business. And I think we have earned a lot of credibility with marketers and leader leaders that when we focus on things and we take full responsibility that we usually come out on the other end was a much stronger and frankly better company.

Do you think that Facebook is collecting too much information about people? You have Facebook’s apps, Facebook Audience Network. I mean, does Facebook need to maybe be collecting less at this point?
Facebook has a responsibility to protect people’s privacy and the data that we collect, we have the responsibility of having consumers understand what we are doing with that data.

We do not sell their data. We have a responsibility to give consumers control over the access that we have to that data and how it’s being used. And I think that the ultimate contract that we have is to establish around trust. We provide a free platform for over 2 billion people. We provide incredibly relevant advertising and business opportunities and consumers benefit from relevant advertising. And I think that our job at the end of the day is to ensure that our platform protects their privacy but it gives them control and transparency on how their data is being used.

@martyswant martin.swant@adweek.com Marty Swant is a former technology staff writer for Adweek.