In July 2019, the Federal Trade Commission (FTC) announced a settlement with Facebook for alleged violations of a 2012 commission order and the FTC Act. The settlement’s record-breaking $5 billion fine and sweeping conduct relief required Facebook to implement new privacy controls, structural reforms, and compliance and transparency terms. Facebook’s Chief Privacy Officer and its CEO, Mark Zuckerberg, must certify quarterly compliance or face civil and criminal penalties. In recent remarks at the Global Antitrust Institute, FTC Commissioner Christine Wilson described how the settlement was developed and stated that the enforcement brings immediate protections for Facebook users, changes the company’s practices, and provides meaningful relief to the American public.
According to the FTC, Facebook subverted users’ privacy choices to serve its own business interests. By 2010, Facebook’s default settings for third-party apps collected not only primary users’ information but also that of their friends. Users were unwittingly subjected to app information collection without their knowledge or permission. The FTC obtained a consent decree to halt the practice and required Facebook to enable a feature letting users select their own privacy settings (whether or not the app would collect data). But Facebook continued the practice, with tens of millions opting for privacy settings that were not honored.
The FTC also alleged that Facebook failed to maintain a reasonable privacy program that safeguarded the privacy, confidentiality, and integrity of user information. Moreover, it did not vet third-party developers. Facebook also asked users for information for security purposes that was then used for advertising, violating the FTC Act. In April 2018, when communicating with users about its facial-recognition technology, Facebook implied that users had to opt in for it to work, but users “actually had to opt out to disable the facial recognition.” While the FTC checked Facebook every two years, the company didn’t reveal the illegal practices, which were also not discovered by the FTC.
The $5 billion fine calculated with five-factor analysis by the FTC’s Bureau of Economics is some 200 times larger than the largest fine to date in the US for a privacy violation and more than 20 times larger than what Facebook would have been fined in the EU under the General Data Protection Regulation (GDPR). The penalty represents 9 percent of Facebook’s 2018 revenue and approximately 23 percent of its 2018 profit. The fine resets the baseline for privacy cases and sends a strong message to other firms.
The settlement’s substantive privacy and data security requirements include greater oversight of developers, controls on biometric information (the first FTC order to do so), and a new corporate governance structure with an independent privacy subcommittee that doesn’t include Facebook employees or officers.
Some say the settlement is too little
The settlement was rejected by the FTC’s two Democratic commissioners, with Commissioner Rohit Chopra claiming that the settlement doesn’t change Facebook’s business model, that the fine is dwarfed by the company’s “unjust gains,” and that Facebook’s board received immunity from the 2012 order. He prefers injunctions and higher fines on principle, recognizing that Facebook would inevitably challenge an even tougher settlement in court. However, the courts could strike down the order altogether, and consumers would lose increased privacy protections, whereas the current order’s rules are immediately in effect. Moreover, Facebook’s business model isn’t illegal.
The FTC can now hire and fire the independent privacy assessor, something it could not do before, and that possibly had something to do with the earlier privacy assessor failing to detect these violations. A separate independent analysis finds that the FTC settlement with its certification provisions exceeds the fines and conduct relief under the GDPR, which privacy advocates consider the gold standard for privacy regulation. Indeed, FTC privacy orders are considered the common law of privacy.
Some suggest that tougher settlements are a way to communicate to Congress a need to update the law, but litigation is expensive and time-consuming, and the FTC must regularly report to Congress anyway. In any event, the privacy bills teed up in the Senate would give the FTC authority to render penalties upon finding violations without having to set up an order. Notably, other investigations of Facebook — for antitrust violations, biased treatment of content, and its role in elections — continue. The FTC just issued a unanimous censure against now defunct Cambridge Analytica for deception.
Some say the settlement is too much
Some observe that there is no market failure for regulators to correct. Users can exercise their own choices by leaving the platform or expressing their dissatisfaction. In fact, Facebook continues to gain users in all regions globally, proving that many value the platform as is. Congress and the courts have called out the FTC for excessive intervention. One startup sued the FTC for its overreach on data security and won, but the litigation bankrupted the company.
The settlement is just right
In reality, the settlement strikes the right balance of disclosure (ensuring that information is available so consumers can make informed decisions), independent review, and financial penalty. The exercise was concluded within a year, using existing laws and FTC resources. European law can’t deliver an outcome as quickly or effectively. Most importantly, the compliance obligations are placed on a specific actor for perpetrating cognizable harms instead of saddling every online entity with extensive regulatory obligations.
Facebook is already exceeding expectations to review and reshape how data moves through its platform. It has suspended thousands of apps found to have unauthorized access to data, and is providing additional transparency to users about the data companies have collected on them (and providing the option for users to delete the information). When it comes to fulfilling regulators’ wish list for compliance, Facebook is a shining example.
This article by Roslyn Layton appeared at AEI on December 16.