The FTC is nearing completion of its 2018 investigation of Facebook resulting from the Cambridge Analytica debacle. It is already clear that Facebook grossly violated its 2011 FTC Consent Decree.
That Decree was based on broad violations of the government’s requirements for Facebook’s protection of user privacy. It turned out that Facebook’s many promises to protect user data from public disclosure, from access by certain Apps, the status of the security of its Apps and the required inaccessibility of user data after they deleted their accounts were unfortunately all false.
Expectations are that the FTC’s action will be sweeping and historic. In fact, in its recent 1st Quarter 2019 earnings release, Facebook said that it expected to be fined by the FTC $3–5 Billion. Since the largest FTC fine in history was $22.5 million, assessed against Google back in 2012, the expected FTC action here is indeed major.
The FTC Consent Decree imposed a sweeping series of actions to protect Facebook user privacy, including requirements for a broad privacy program, prior notice & user consent before sharing user data and strict controls over sharing user data with third parties, including advertisers.
Now that Facebook is bracing itself for a huge high-profile fine for its improper business practices, what will the FTC do? In considering this question, realize that:
- The FTC is the primary regulator of online data privacy in the U.S. It loses all credibility if it doesn’t take strong action in this case;
- Congress is actively considering giving the FTC greatly enhanced privacy authority, so it must be perceived as a strong regulator of online user privacy; and
- Every year, the E.U. reviews U.S. enforcement of the E.U – U.S. Privacy Shield, the mechanism by which data is freely transferred between the E.U. and U.S. S. companies have a strong interest in continued approval of the Privacy Shield;
- A weak response by the FTC will embolden E.U. regulatory action against U.S. companies doing business there, which will only further complicate things.
Given the big picture, the FTC likely has to throw the book at Facebook, given the egregious facts and the high-profile nature of this case – an unprecedented fine is virtually assured. However, the true test of the FTC’s view of the seriousness of Facebook’s behavior would be to place broad new restrictions on how Facebook currently collects, uses, stores and shares user data.
That kind of strong action in Washington would go to the heart of how Facebook does business, and better protect data privacy. Time will tell how impactful the Federal Government’s actions against Facebook will be, and the associated consequence of Facebook’s failure to protect the privacy of its many users’ personal data.
In the meantime, keep a close eye on not only the FTC’s action against Facebook, but the increased attention that Congress is paying to the issue of online data privacy. Regulators in Washington are finally paying close attention to this critical issue and debating new laws, which will impact many millions of consumers and businesses around the world.