The following guest article was written by Dallán Ryan, Content & Advisory Lead, Data Strategy at Eagle Alpha, an alternative data aggregation platform that also provides supporting advisory services for data buyers and vendors.
Recently, US Big Tech has dominated the information technology space. This dominance has been the driving force behind new legislation on data processing and handling practices. The largest tech giants are branded as “gatekeepers” to their respective industries where they control prices and distribution of goods and services, forcing the hands of third parties using their platforms.
In 2019, the FTC fined Facebook $5 billion for privacy violations and YouTube $170 million for collecting children’s personally identifiable information without parents’ consent. As of December 2020, the FTC ordered Facebook, Twitter, Amazon, TikTok’s ByteDance, as well as several other social media companies, to provide detailed information on how they collect data and use consumer PII.
In China, data privacy regulations are progressing quickly with China promising that regulation of Big Tech is part of its plan to become a tech superpower, the mandates include stricter compliance for global listings, limits on information monopolies, and transparency on data gathering.
Similarly, China’s Big Tech companies have come under fire for different abuses under Chinese legislation. In 2020, Ant Group, an affiliate company of Alibaba Group, had its planned $35.5 billion IPO suspended, while Alibaba was fined $2.8 billion due to anti-trust violations. Recently, the Cyberspace Administration of China released the results of the Didi cybersecurity review, which resulted in a $1.2 billion USD fine. Didi was found to illegally collect user information (including 12 million screenshots from users’ photo albums) and improperly handle sensitive information.
The regulation of Big Tech is forcing these “gatekeepers” to change the amount of data and types of data that they and their partners are collecting, as well as the techniques they are using to collect this data.
In 2017, China introduced a law requiring companies to provide the government with any personal data that might be pertinent to the country’s national security. There is no evidence that TikTok disclosed or handed over such data, but fears are growing due to the sheer volume of user data that the app collects. Concerns were raised when ByteDance fired four of its employees in December 2022 for accessing data on two journalists from the Financial Times and BuzzFeed News when tracking down the source of a leaked report.
In February 2023, Senator Michael Bennet urged Apple and Alphabet to delete TikTok from their app stores: “Like most social media platforms, TikTok collects vast and sophisticated data from its users, including faceprints and voiceprints. Unlike most social media platforms, TikTok poses a unique concern because Chinese law obligates ByteDance, its Beijing-based parent company, to ‘support, assist, and cooperate with state intelligence work.’”
On March 7th, 2023, US senators introduced a bipartisan bill designed to address security threats from foreign tech and apps. One potential implication could result in banning apps such as TikTok. The Restrict Act — an acronym for “Restricting the Emergence of Security Threats that Risk Information and Communications Technology” would give the commerce secretary the power to identify threats and block foreign technology.
Another reason why concerns are growing is the Chinese government’s potential to use TikTok in order to push propaganda and misinformation. FBI Director Christopher Wray told a Senate hearing that the Chinese government could divide Americans over Taiwan and other issues by using TikTok and driving its narratives. He said: “This is a tool that is ultimately within the control of the Chinese government, and to me, it screams out with national security concerns.”
On Thursday, March 23rd, TikTok’s CEO Shou Zi Chew faced a sceptical US Congress and was grilled about his company’s attempts to protect US user data and ease concerns about its ties to China. TikTok is among the most popular apps in America, with more than 150 million active users. From reviewing the session, there are several crucial points important for data users to be aware of.
The hearing lasted for more than five hours and began with Cathy McMorris Rodgers, the chair of the House Energy and Commerce Committee, stating that the platform should be banned. An ongoing theme was Chew’s reiteration that TikTok was independent of China and “TikTok itself is not available in mainland China, we’re headquartered in Los Angeles and Singapore, and we have 7,000 employees in the U.S. today.” For the most part, Chew’s statements concerning data protection and China relations fell on deaf ears.
A key point that resonates with the data community is that TikTok’s CEO stressed that its practices are no different from US tech giants like Meta and Google with Chew saying that TikTok collects data “that’s frequently collected by many other companies in our industry.” While this does not make the amount of data collected fine – i.e. app engagement, geolocation data, and contact information – the app collects about the same amount of information as Facebook or Twitter.
The congressional hearing also focused on the impact the app has on children saying that there is a lack of adequate content moderation, which leaves room for kids to be exposed to content that promotes self-harm. One member of Congress compared Mr. Chew to Mark Zuckerberg saying that “You have been one of the few people to unite this committee.” While Chew was criticized for avoiding questions by Congress, TikTok said that they weren’t actually interested in his answers, with a spokesperson for TikTok saying that “the day was dominated by political grandstanding that failed to acknowledge the real solutions already underway.”
A Look at Data Collection
Big Tech companies like Facebook, Instagram (owned by Facebook), and TikTok collect a vast amount of data from their users to improve their platforms, personalize user experiences, and generate advertising revenue. Here is a comparison and contrast of the types of data collected by these platforms, the alternative data categories they fall into, and their potential uses:
Personal Information and Profile Data
- Facebook collects data such as name, email, phone number, date of birth, and profile picture. This information helps personalize user experience and target advertisements.
- TikTok: Collects personal information like name, username, contact details, and age, which helps create user profiles and deliver personalized content and ads.
Social connections and interactions (social media data according to Eagle Alpha’s taxonomy):
- Facebook: Records data about friends, groups, and pages that users like or follow, as well as their interactions (likes, comments, shares). This data helps Facebook understand users’ preferences and deliver more relevant content.
- TikTok: Monitors users’ interactions with other accounts, such as following, liking, and commenting, which informs content recommendations and ad targeting.
Content and media (sentiment data according to Eagle Alpha’s taxonomy):
- Facebook: Analyzes the content users share, including text, photos, videos, and links, to understand user interests and preferences.
- TikTok: Analyzes short-form video content and employs advanced algorithms to understand user preferences and deliver relevant content and ads.
- Facebook: Collects location data from user devices, check-ins, and location-tagged content, which helps target local ads and provide location-based features.
- TikTok: Collects location data to serve localized content and ads, as well as to comply with regional regulations and content policies.
Device and usage data (app usage and IoT data according to Eagle Alpha’s taxonomy):
- Facebook: Records information about users’ devices, such as device type, operating system, and IP address, as well as usage patterns and browsing history, to optimize performance and ad targeting.
- TikTok: Gathers device and usage data to optimize app performance, tailor content recommendations, and target ads.
While Facebook, Instagram, and TikTok have similarities in their data collection and usage, they differ in their primary content format and focus. Facebook is more diverse, covering various content types, while TikTok specializes in short-form videos. Despite these differences, all three platforms use the collected data to improve user experience, deliver personalized content, and target ads to generate revenue.
Compliance Considerations for the Investment Community
When it comes to app data and social media data, there are several considerations that must be taken into account by investors. Data provenance is top of the list and investment managers need to understand whether users opted-in to allow their data to be collected and shared with third parties. There were instances in the past where a user might use a free VPN app, social media app, add-blocker app, etc., and unknowingly to the users, this app was collecting cross-app data from the user and selling this data to third parties. The free cost to the consumer is offset by the value of the data collected by the app manufacturer and is either used directly by the developer or sold to third parties.
Data quality is also important to take into account. As a buyer, you must ensure that the data being purchased is stored and transmitted securely to prevent unauthorized access, misuse, or access to MNPI. On 14th September 2021, the SEC brought a securities fraud ruling against leading mobile app data provider App Annie (now data.ai) and its co-founder and former CEO and Chairman Bertrand Schmitt. The SEC found that the company was “engaging in deceptive practices and making material misrepresentations about how App Annie’s alternative data was derived” that violated anti-fraud provisions of Section 10(b) of the Exchange Act and Rule 10b-5 thereunder.
For firms trading off of the information provided by App Annie, it was crucial that data complied with MNPI regulations, and that App Annie had obtained user consent for the information. The SEC found that there were no internal controls in place to conduct regular reviews around the handling and use of material non-public information. This was the first SEC action related to alternative data, but it is important to note that App Annie was accused of securities fraud and no party was charged with insider trading.
PII is also of utmost importance as the data (especially in the case of geolocation data) can be used to track a person’s activities. This concern became elevated in the summer of 2022 after the US Supreme Court ruling on Roe V Wade. Safegraph, Placer.Ai, and Kochava faced possible legal concerns regarding the potential use of their data by certain US states with restrictive abortion laws. Vendors providing geolocation data removed “sensitive locations” from their datasets. All vendors endeavor to anonymize their data, but a high level of diligence needs to be undertaken, particularly at the time of ingestion and ETL. As is usually the case regarding MNPI, data provenance is extremely important.
If TikTok does get banned, we should expect higher scrutiny and potential regulatory actions with regards to all app, location, and social media data providers. In addition, asset managers using these data sources need to be extra diligent when purchasing and conducting ongoing monitoring of data vendors.
A Note on Data Privacy
Data privacy is crucial for the long-lasting benefit of the data community for several reasons:
- Protection of personal information: Data privacy helps protect individuals’ personal information from unauthorized access, misuse, or theft, ensuring that sensitive data remains confidential and secure.
- Maintaining trust: Data privacy helps maintain trust between consumers and businesses, as consumers are more likely to share their information with organizations that demonstrate a commitment to protecting their privacy.
- Compliance with regulations: Many countries and regions have implemented data protection laws to safeguard individuals’ privacy. Compliance with these regulations is essential to avoid penalties and potential damage to a company’s reputation.
- Identity theft and fraud prevention: Ensuring data privacy helps prevent cybercriminals from accessing personal information, which can be used for identity theft or other fraudulent activities.
Data protection laws can benefit both the data industry and consumers by:
- Establishing clear guidelines: Data protection laws provide a clear framework for organizations to follow when collecting, storing, and processing personal data, ensuring that they adhere to best practices for data privacy.
- Encouraging innovation: By creating a standardized set of rules, data protection laws can encourage innovation within the data industry, as companies can develop new technologies and services while adhering to privacy requirements.
- Empowering consumers: Data protection laws often include provisions that give individuals more control over their personal information, such as the right to access, correct, or delete their data. This can help consumers make informed decisions about how their information is used.
- Enhancing trust: Strict data protection laws can help build trust between businesses and consumers, as organizations are required to demonstrate their commitment to privacy and adhere to established regulations.
Data privacy regulations in the US and globally
Data privacy regulations in the US and globally can vary significantly, both in terms of the scope of protection they offer and the requirements they impose on businesses and organizations that collect, process, and store personal data. The European Union’s General Data Protection Regulation (GDPR) is one of the most comprehensive and stringent data privacy regulations in the world, covering all personal data collected from EU citizens, regardless of where the data is processed or stored.
In contrast, the US has a patchwork of data privacy laws, including sector-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), which only protect certain types of personal information. Many global data privacy regulations require businesses to obtain explicit consent from individuals before collecting and processing their personal data. They also require businesses to provide clear and transparent notice about what data they collect, how it will be used, and who it will be shared with.
In the US, privacy laws such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA) have implemented similar consent and notice requirements, but there is no comprehensive US federal privacy law in place. In July 2022, an amended version of the American Data Privacy and Protection Act (ADPPA) was approved by the House Committee on Energy & Commerce for full House consideration. It remains to be seen whether the TikTok hearing will result in a renewed bipartisan push for a federal privacy law.
How Organizations Can Protect Themselves
To collect and use data in financial services safely and effectively, an investment manager should:
- Implement strong data security measures: Financial institutions should employ robust security measures, such as encryption, access controls, and secure data storage, to protect sensitive financial data from unauthorized access or breaches.
- Adhere to regulatory compliance: Financial institutions must comply with relevant data protection laws and industry-specific regulations, such as the General Data Protection Regulation (GDPR) or the US Gramm-Leach-Bliley Act (GLBA).
- Minimize data collection and retention: Collect only the necessary data required for specific purposes, and limit data retention periods to minimize the risk of unauthorized access or misuse.
- Establish transparent privacy policies: Clearly communicate privacy policies to customers and obtain their consent before collecting, processing, or sharing their data.
- Regularly monitor and audit data practices: Continuously monitor data processing activities, conduct regular audits, and implement necessary improvements to ensure ongoing compliance with data protection laws and best practices.
- Implement privacy by design: Integrate data privacy considerations into the design and development of financial products, services, and processes, ensuring that privacy is a core component of the organization’s operations.
By following these guidelines, financial institutions can ensure the safe and effective collection and use of customer data while respecting privacy and complying with relevant regulations.
Eagle Alpha is excited to announce a special event for the alternative data community in New York on April 26th in partnership with Proskauer Rose LLP. Paula Weil, Chief Compliance Officer at Citadel, and Sam Waldon, Chief Counsel at the SEC, will join to discuss insider trading concerns, legal implications involving specific types of data, due diligence, and best practices. Register your interest here.