The FTC Fines Facebook. But Privacy Violations Are Not a Thing of the Past
Friday, July 26, 2019
The FTC Fines Facebook. But Privacy Violations Are Not a Thing of the Past
You’re reading the Benton Foundation’s Weekly Digest, a recap of the biggest (or most overlooked) telecommunications stories of the week. The digest is delivered via e-mail each Friday.
Round-Up for the Week of July 22-26, 2019
On July 24, 2019 the Federal Trade Commission, together with the Department of Justice, announced a record-breaking $5 billion penalty for Facebook, alleging the company had repeatedly misled its users about the way advertisers and app developers could obtain their personal data. What did Facebook do wrong? What are the components of the settlement? What does it all mean for Big Tech? Let's dive in.
What Did Facebook do Wrong?
Violating the 2012 FTC Order
The FTC’s sixteen-month investigation determined that Facebook failed to live up to its commitments under a 2012 consent decree. Back in August 2012, the FTC approved a settlement with Facebook resolving charges that the company deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.
The 2012 consent decree required Facebook to take several steps to make sure it lived up to its promises in the future. Now, almost seven years later, the FTC contends that Facebook violated the 2012 decree by deceiving its users when the company shared the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings.
In addition to the violations of the 2012 decree, the FTC alleges that Facebook violated the FTC Act’s prohibition against deceptive practices when the company told users it would collect their phone numbers to enable a security feature, but did not disclose that it also used those numbers for advertising purposes.
The Cambridge Analytica Affair
The same day the FTC announcement, the Securities and Exchange Commission announced charges against Facebook for making misleading disclosures to investors regarding the risk of misuse of Facebook user data.
The SEC investigation happened because of the Cambridge Analytica revelations.
A quick refresher: in March 2018, a whistleblower revealed that the now-defunct advertising and data analytics company Cambridge Analytica had harvested the personal data of millions of people's Facebook profiles without their consent and used it for political advertising purposes.
The SEC’s complaint alleges that Facebook discovered the misuse of its users’ information in 2015, but did not correct its disclosure for more than two years. Instead, Facebook continued to tell investors that “our users’ data may be improperly accessed, used or disclosed.” (emphasis added).
“Public companies must identify and consider the material risks to their business and have procedures designed to make disclosures that are accurate in all material respects, including not continuing to describe a risk as hypothetical when it has in fact happened,” the SEC noted.
According to the SEC complaint, Facebook reinforced this false impression when it told news reporters who were investigating Cambridge Analytica’s use of Facebook user data that it had discovered no evidence of wrongdoing. When the company finally did disclose the incident in March 2018, its stock price dropped.
“We allege that Facebook exacerbated its disclosure failures when it misled reporters who asked the company about its investigation into Cambridge Analytica,” said Erin Schneider, Director of the SEC’s San Francisco Regional Office. “This gave further weight to Facebook’s misleading statements in its public filings.”
Without admitting or denying the SEC’s allegations, Facebook agreed to pay a $100 million penalty.
“We have heard that words and apologies are not enough and that we need to show action,” said Facebook General Counsel Colin Stretch. “By resolving both the SEC and the FTC investigations, we hope to close this chapter and turn our focus and resources toward the future.”
The FTC also went after Cambridge Analytica.
In a related but separate item, the FTC announced law enforcement actions against Cambridge Analytica. Specifically, the FTC targeted Cambridge Analytica’s former chief executive officer, Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company. The FTC alleges that they used false and deceptive tactics to harvest personal information from millions of Facebook users. Kogan and Nix agreed to a settlement with the FTC that will restrict how they conduct any business in the future. In contrast to the immunity the FTC gave Facebook executives, the agency prohibited Nix and Kogan from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. In addition, they are required to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data.
Unpacking the Settlement
The FTC settlement includes three major components:
- a record-breaking $5 billion penalty;
- new substantive privacy and data security requirements; and
- significant structural reforms to ensure greater corporate accountability, more rigorous compliance monitoring, and increased transparency.
1. $5 Billion Penalty
The FTC fined the company $5 billion because, essentially, Facebook was deceptive in its disclosures and settings in a way that undermined users’ privacy preferences in violation of the 2012 settlement. How I would describe it: The company misrepresented itself, lied, and covered it up, at a cost of massive privacy violations for U.S. users. Or, how FTC Chairman Joe Simons would say it: “Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices." He continued, "The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations."
Five billion dollars is approximately 9% of Facebook’s 2018 revenue, and approximately 23% of its 2018 profit, but less than 1% of the total market value of the company. The penalty is over 20 times greater than the largest fine to date under the European Union’s General Data Protection Regulation (GDPR). The penalty “sends a strong message to every company in America that collects consumers’ data: where the FTC has the authority to seek penalties, it will use that authority aggressively,” according to Chairman Simons.
2. New Privacy and Data Security Requirements
According to the FTC’s Republican commissioners, this week’s settlement imposes significant new privacy obligations on Facebook:
- Requires greater oversight of third-party developers, including a requirement to terminate developers' access to users’ information if they fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data.
- Enforces its platform terms against app developers solely on the basis of the severity of the violation and without regard to the financial benefit that flows to Facebook from the relationship.
- Expands Facebook's existing privacy program to cover WhatsApp, Instagram, and any Facebook product or service that receives personal information from Facebook or WhatsApp.
- This is the first FTC order to address biometric information, requiring Facebook to get consumers’ op-tin consent before using or sharing such information in ways that exceed prior disclosures and consents.
- Requires Facebook to establish and maintain a comprehensive data security program, a combination of obligations not imposed by any other FTC order.
- The Order also specifies data security obligations related to authentication, access controls, and encryption. Collectively, these requirements will not only alter the way Facebook does business, but also send an important signal to the marketplace about privacy and security best practices.
3. Structural Reforms
The settlement imposes a series of structural reforms:
- Greater accountability at the board of directors level
- Establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.
- A privacy regime that includes a new corporate governance structure, with corporate and individual accountability and more rigorous compliance monitoring.
- Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.
- External oversight of Facebook
- Settlement enhances the independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps
- Requires several different mandatory information flows about privacy decisions through multiple internal and external channels of compliance, so that if there is a breakdown in one or more channels, another channel can identify the problem and fix it. This approach dramatically increases the likelihood that Facebook will be compliant with the settlement; if there are any deviations, they likely will be detected and remedied quickly.
When the FTC settlement was announced, there was a flood of criticism from dissenting FTC commissioners, Members of Congress, and many in the public interest community.
Dissenting FTC Commissioners
The FTC’s three Republican commissioners voted to approve the deal, while the two Democratic commissioners -- Rohit Chopra and Rebecca Kelly Slaughter -- dissented. The criticisms fell under a few main themes:
1. $5 Billion Is Not Enough
Commissioner Chopra said the $5 billion penalty is less than Facebook’s exposure from its illegal conduct, given its financial gains. The FTC can seek civil penalties in addition to unjust gains. In the FTC’s 2012 action against Google, the FTC obtained a penalty of more than five times the company’s unjust gains. “This is a departure from that approach,” Chopra said.
Commissioner Slaughter agreed. “The negotiated civil penalty is insufficient under the applicable statutory factors we are charged with weighing for order violators: injury to the public, ability to pay, eliminating the benefits derived from the violation, and vindicating the authority of the FTC.”
The markets shrugged at the $5 billion fine. Facebook's stock price hit its highest point in almost a year after news of the fine broke.
2. Not Enough Structural Changes
Commissioner Chopra noted that Facebook’s violations were a direct result of the company’s behavior advertising business model, and the settlement does little to change it:
The settlement imposes no meaningful changes to the company’s structure or financial incentives, which led to these violations. Nor does it include any restrictions on the company’s mass surveillance or advertising tactics. Instead, the order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail.
Commissioner Slaughter also commented:
While the order includes some encouraging injunctive relief, I am skeptical that its terms will have a meaningful disciplining effect on how Facebook treats data and privacy. Specifically, I cannot view the order as adequately deterrent without both meaningful limitations on how Facebook collects, uses, and shares data and public transparency regarding Facebook’s data use and order compliance.
3. The FTC Should Have Litigated. And Targeted Zuckerberg.
“[M]y deepest concern with this order is that its release of Facebook and its officers from legal liability is far too broad,” said Commissioner Slaughter.
“The evidence the Commission amassed in its investigation more than justified initiating litigation against Facebook and Mr. Zuckerberg alleging violations of the Commission’s order,” she said. “I believe the Commission should have voted to refer a complaint against Facebook and Mr. Zuckerberg to the Department of Justice in order to initiate litigation.”
For Commissioner Chopra, granting immunity to Facebook’s officers and directors amounted to a “giveaway.” “Facebook’s officers and directors were legally bound to ensure compliance with the 2012 order, yet the proposed settlement grants a gift of immunity for their failure to do so. The Commissioners supporting this settlement do not point to any documents or sworn testimony to justify this immunity,” he said.
Commissioner Chopra also criticized the agency for not deposing Zuckerberg.
Further, Commissioner Chopra was disappointed that the settlement lets Facebook off the hook for unspecified violations. The FTC agreed the settlement would shield Facebook from known claims of violations before June 12, 2019. “The settlement gives Facebook a legal shield of unusual breadth, deviating from standard FTC practice,” said Commissioner Chopra.
Members of Congress
The FTC settlement aroused many responses from Congress -- mostly negative.
Senator Josh Hawley (R-MO) slammed the deal for doing "nothing to change Facebook's creepy surveillance of its own users [and] the misuse of user data. It does nothing to hold executives accountable. It utterly fails to penalize Facebook in any effective way."
Senator Marsha Blackburn (R-TN) said last week that Facebook’s fine “should have been $50 billion.”
Senator Ron Wyden (D-OR) said:
For a mere fraction of Facebook’s annual revenues, the FTC has given Facebook and executives like Mark Zuckerberg and Sheryl Sandberg blanket immunity for violations of the law that we know about, and even for potential crimes that are still unknown. That sweetheart deal is especially weak, given revelations over the past year about Facebook abuses that I fear have not been thoroughly investigated. The FTC is sending the message that wealthy executives and massive corporations can rampantly violate Americans’ privacy, lie about how our personal information is used and abused and get off with no meaningful consequences.
“With its settlement with Facebook, the FTC not only fell short, it fell on its face,” said Senator Ed Markey (D-A). “Facebook is getting away with some of the most egregious corporate bad behavior in the age of the internet.” He added:
The new rules placed on Facebook in this consent decree fail to systematically change Facebook’s internal infrastructure and put a stop to its privacy malpractice once and for all. This settlement does not adequately address the threats to child and teen users on Facebook, the need for increased transparency about Facebook’s practices, and the imperative for individuals to be held accountable for violating consumer trust. It should disturb all of us that this agreement between Facebook and the FTC appears to broadly shield the company from accountability for other violations of the user privacy, including misuse of children’s data.
Some lawmakers, however, have applauded the settlement, noting that it is one of the largest ever imposed by the FTC related to privacy issues.
"Today’s settlement announced by the FTC against Facebook is one of the largest civil penalties ever imposed by the U.S. government and it is by far the largest privacy or data security settlement the world has seen yet," said House Commerce Committee Ranking Member Greg Walden (R-OR) and Rep. Cathy McMorris Rodgers (R-WA).
Public Interest Community
Charlotte Slaiman, Competition Policy Counsel at Public Knowledge, said, “It is frustrating that the FTC was not able to achieve more significant changes to Facebook’s behavior going forward. Facebook users cannot count on being protected as a result of this settlement.”
Free Press Policy Counsel Gaurav Laroi said Facebook’s lax privacy controls enabled the manipulation of voters in the 2016 election and damaged our democracy. “Without corrective action, the business of behavioral advertising is bound to harm our social, political and private lives again and again. It’s now up to Congress to pass legislation to protect our privacy, our democracy and our civil rights.”
Marta Tellado, President and CEO of Consumer Reports, said:
With a weak and under-resourced FTC, and a glaring need for far more comprehensive privacy laws, Congress must raise the standards for consumers and hold Big Tech accountable. Lawmakers have a responsibility to pass laws that offer real protections, giving consumers control of their data and the FTC the power it needs to rein in Big Tech. The details of this settlement make it brutally clear that this isn’t just about Facebook’s privacy policies. Facebook made a concerted effort to control and manipulate consumer choices, by misrepresenting how they do business, and how they treat their users.
Defense of the Settlement
Litigation Vs. Settlement
At a press conference following the announcement of the settlement, the Republican FTC commissioners who voted in favor, including Chairman Joseph Simons, defended the deal as a “home run.”
The trio released a statement, saying the FTC’s main goal was “to obtain the most meaningful relief to best protect the American public.” For them, this meant not pursuing litigation because “the relief we have secured today is substantially greater than what we realistically might have obtained by litigating, likely for years, in court.” They continued:
Moreover, a settlement brings immediate changes to Facebook’s flawed privacy and data security practices and requires immediate protections for Facebook users. In light of our responsibility to be effective stewards of the public resources entrusted to the Commission, it would not have made sense to pursue protracted and expensive litigation likely to yield substantially weaker relief.
The FTC majority claims litigation would not enable the affirmative obligations and corporate governance reforms the FTC obtained. Court-imposed relief would be “limited to injunctive relief to remedy the specific proven violations and to prevent similar or related violations from occurring in the future.” For example, because FTC does not, and could not, allege and prove that Facebook’s current board structure is illegal or that changes in corporate governance are necessary to effectuate compliance with the settlement and the FTC Act, “it is unlikely that a court would mandate any corporate governance reforms.”
However, a big part of the decision to settle rather than litigate may have been because of Zuckerberg's powerful role at the company. As part of their investigation, FTC officials received “millions of pages” of emails and communications that included Zuckerberg, and they felt that the agency had enough information to understand his role in the company’s privacy decisions. If Zuckerberg were deposed, Facebook officials were reportedly worried that it could open him up to a slew of private lawsuits if he was found to have made misstatements. If the FTC attempted to depose him, Facebook wouldn’t have agreed to a settlement and the FTC would have no other choice but to pursue the company in court. "In essence, Zuckerberg’s power on the board was a bargaining chip used by the FTC to negotiate the terms we saw in the settlement," wrote Makena Kelly.
The FTC majority claimed Zuckerberg's influence was severely diminished, as the settlement adds accountability measures and extinguishes the ability of Zuckerberg to make privacy decisions unilaterally.
The FTC majority addressed the view that the settlement does not "do more to address structural reform" by noting the limited authority of the FTC. We've heard this tune before. In addition to noting it was not a regulator, the FTC majority used a well-versed talking point for when an agency’s deregulatory actions are criticized: Look, our hands are tied, and it’s up to Congress to fix it. (Chairman Pai sang this tune in his repeal of net neutrality when he called on Congress to figure out the issue and abdicated FCC authority over the Internet).
Chairman Simons' take:
Our authority in these types of cases is quite limited, which is why we have encouraged Congress to consider federal privacy legislation. But for now, the only real-world choice here was to take a historic settlement that provides immediate and important protection to American consumers, or wait for years to get far less relief. Not really much of a choice at all.
Relying on Congress to solve problems through legislation is now a common way for agencies to punt on whether to actually carry out public interest duties like enacting fines and conducting regulatory enforcement. Congress is grid-locked, so awaiting Congressional action is good way to deflect blame, extend the conversation, and ultimately abdicate responsibility.
The FTC majority expanded on their limited authority:
As a civil law enforcement agency (and not a regulator), we can only get what we can win in litigation or via hard-fought negotiations. The FTC does not have the authority to regulate by fiat. The extent to which Facebook, or any other company, should be able to collect, use, aggregate, and monetize data, is something Congress should evaluate in its consideration of federal privacy legislation. Our 100- year-old statute does not give us free rein to impose these restrictions.
“Look, we don't have a national privacy law,” said Republican FTC Commissioner Phillips. “And if there were a national privacy law and Facebook violated that law, you know, likely, depending on how the law could have been written, this might have looked different.”
Like the net neutrality debate, calls for legislation are generally well-received. Many lawmakers and public interest advocates noted the need for a national privacy law. Eric Null, senior counsel at New America’s Open Technology Institute, said the settlement exemplifies the need for strong privacy legislation because a law could "better protect consumers everywhere by making many practices, including those Facebook engaged in, explicitly unlawful." The FTC only achieved as much as it did with the settlement because it had a prior consent decree in place. "Without comprehensive privacy legislation," Null says, "consumers will likely end up with more of the same."
Still, despite admitting it is limited in what it can achieve, the FTC majority felt it was an excellent decision. “We are confident that any evaluation of the Order based on its merits and a rational understanding of the law will yield but one conclusion: this settlement represents an unprecedented victory for consumer privacy.”
Critics of the Facebook settlement say it is a clear sign that the FTC is unable to handle the many challenges posed by Big Tech. Beyond the limited authority of the FTC, there's also the challenge of being financially and politically outmatched.
The FTC has a budget of roughly $306 million a year with around 1,100 full-time staffers, 40 of whom are dedicated to privacy enforcement. That’s dwarfed by Facebook’s resources: The company is worth a half-trillion dollars and has nearly 30 employees for every one of the FTC’s. The FTC’s budget represented roughly 0.55% of Facebook’s 2018 revenue. “It is as if there were massive street crime waves in a major city with two dozen police to handle the chaos,” wrote Ralph Nader in a July 17 letter to the FTC.
As a result, there have been calls for bolstering the FTC -- or creating a new agency all together. Reps. Zoe Lofgren (D-CA) and Anna Eshoo (D-CA) are circulating a proposal that would create a 1,600-employee U.S. Digital Privacy Agency with an annual budget of $200 million. It's modeled on the Consumer Financial Protection Bureau that was created in 2011.
Benton Senior Fellow and Public Advocate Gigi Sohn agrees on the need for more regulatory power over privacy. "How many regulators does banking have? How many does transportation have?" she said. "So why, when you’re talking about the most lucrative and one of the most important sectors of the economy, why don’t you want to have a sector-specific regulator?"
The FTC has fined Facebook. But, with a clearly limited and outmatched FTC, are privacy violations really a thing of the past? No. This sad story continues.
To follow along as this story unfolds, be sure to subscribe to our daily Headlines email newsletter.
- Justice Department Reviewing the Practices of Market-Leading Online Platforms (DOJ)
- Facebook Latest FTC Headache: Antitrust Probe of Social Media Competition (Bloomberg)
- FTC approves settlement with Google over YouTube kids privacy violations (Washington Post)
- White House summit on social media gave a boost to key Trump supporters. They used it to attack Mueller. (Washington Post)
- Conditional Forbearance from the Lifeline Voice Obligation Announced (FCC)
- Knight Foundation Invests $50 Million to Develop New Field of Research Around Technology's Impact on Democracy (Knight Foundation)
Weekend Reads (resist tl;dr)
- The State of Broadband in America (BroadbandNow)
- What telephones and television can teach us about the adoption of broadband (Microsoft)
- The Hottest Phones for the Next Billion Users Aren’t Smartphones (Wall Street Journal)
- Chairman Pai Submits Answers to Senate Commerce Committee (FCC)
ICYMI from Benton
Under the Radar Broadband Policy (Robbie McBeath)
Upcoming Events Through August 2019
July 31 -- Mapping the Way to Better Broadband, SHLB Coalition
Aug 1 -- FCC Open Meeting
Benton, a non-profit, operating foundation, believes that communication policy - rooted in the values of access, equity, and diversity - has the power to deliver new opportunities and strengthen communities to bridge our divides. Our goal is to bring open, affordable, high-capacity broadband to all people in the U.S. to ensure a thriving democracy.
© Benton Foundation 2019. Redistribution of this email publication - both internally and externally - is encouraged if it includes this copyright statement.
For subscribe/unsubscribe info, please email headlinesATbentonDOTorg