Facebook’s Small Business Grants Come With a Big Catch: Your Data

By Todd Feathers

In March, Facebook announced a $100 million grant program for small businesses struggling from the COVID-19 pandemic.

“We’ve listened to small businesses to understand how we can best help them,” Facebook Chief Operating Officer Sheryl Sandberg wrote in a March 17 post on the platform. “We’ve heard loud and clear that financial support could enable them to keep the lights on and pay people who can’t come to work.”

The need is great. As of May 29, for instance, the federal Paycheck Protection Program of the U.S. Small Business Administration had approved more than $510 billion in emergency loans to over 4.4 million businesses, agency officials told Digital Privacy News.

But Facebook’s assistance, earmarked for 30,000 businesses in 30 countries, comes with a huge catch, according to lawyers and privacy experts: their data.

Under the program’s terms and privacy policies, applicants must give Facebook license to their personal and business information, experts said.

“The program’s privacy policy appears to not adhere to basic fair-information practice principles.”

Katharina Kopp, Center for Digital Democracy.

They must also agree to Facebook’s general terms and privacy policy, which gives the internet behemoth access to even more data.

“Funders, especially private entities, should not exploit small business owners’ difficult situation by extracting data from them that is not necessary for the administration of the grant — and it should certainly not exploit business owners’ privacy,” Katharina Kopp, deputy director of the nonprofit Center for Digital Democracy, told Digital Privacy News.

“The Facebook grant program’s privacy policy appears to not adhere to basic fair-information practice principles, including data-minimization, purpose specification, and limitation.”

A company spokeswoman told Digital Privacy News that the program was “designed to help small businesses stay afloat” and that “we don’t sell anyone’s data.”

In addition, the firm administering the Facebook program said it would only use applicant data for the program and then destroy it once it ended.

Facebook stopped accepting new grant applications early last month. The portal was first opened for owners in New York and San Francisco on April 21. It gradually opened for other cities over the next few days.

The program remained open for two weeks after each city’s start date. Facebook is now selecting grant recipients.

What’s Up for Grabs

According to the privacy policy for Ureeka Inc., the company Facebook hired to direct the program, applicant data to be surrendered included race, sexual orientation, preferred pronouns, employment history, business plans and pitch decks.

Applicants also had to agree to Facebook’s general usage terms and privacy policy, giving the company to collect and use an even broader swath of data that included their web-browsing and device-use patterns.

Digital Privacy News queried Facebook, based in Menlo Park, Calif., about its rights to the applicant data and whether the information would be used for targeted advertising campaigns — for example — or for its new “Facebook Shops” marketplace, where small businesses can set up online stores.

But the spokeswoman only provided this statement: “This program was designed to help small businesses stay afloat, and any suggestion that our motives lie elsewhere is wrong.

“We don’t sell anyone’s data and we handle application information according to our privacy policy,” the statement said.

In response to similar questions to Ureeka, Kelsey Quickstad, a company representative, told Digital Privacy News: “Ureeka does not license or sell data — and we only use applicants’ information to administer grants.

“We’ve partnered with Facebook to help them support small businesses in a way that protects peoples’ privacy, and we destroy any data we receive after the program ends,” she said.

“Facebook generally doesn’t do anything that is not in Facebook’s own interest.”

Elizabeth Renieris, Harvard University.

Big Scandals, Big Fines

Facebook’s public luster has been deeply tarnished by several huge privacy scandals over the past two years — only 40% of Americans say they trust Facebook with their data, according to one March poll — though the mishaps have not affected the company’s profits despite paying stiff fines. 

Last year, the Federal Trade Commission fined Facebook $5 billion for deceiving customers about the control they had over their private information. In January, the company agreed to pay $550 million to settle a class-action lawsuit alleging that its facial-recognition practices violated an Illinois privacy law.

Just last month, Canadian regulators charged Facebook $9 million over misleading claims about customer privacy. 

Some Experts Not Surprised

Small businesses comprise as much as 40% of Facebook’s advertising base, according to industry analysts, but Elizabeth Renieris, of Harvard University’s Berkman Klein Center for Internet and Society, was not surprised that the company would seek out further data.

“What concerns me is Facebook’s unique ability to exploit this data in ways that other actors could not,” she told Digital Privacy News. “With access to the information gathered through their grants program, it is foreseeable that Facebook could use it to improve products and services such as the new Facebook Shops product.

“Facebook generally doesn’t do anything that is not in Facebook’s own interest,” Renieris continued. “The same rule will apply to any data collected through this program.”

Todd Feathers is a New York technology writer.

Sources (external links):