A Record FTC Fine Won't Fix Facebook, Privacy Experts Say

Facebook needs to make lasting changes in how it collects and uses data. Regulators have limited power to force reforms.

Mark Zuckerburg
Facebook CEO and founder Mark Zuckerberg testifying in Congress about Cambridge Analytica and Facebook data practices last April.

A potential $5 billion fine against Facebook for failing to keep consumer data private would probably not improve the way the social media giant collects and handles user information, some privacy experts and consumer advocates say.

"A billion isn't what it used to be," says former Federal Trade Commission chair William E. Kovacic, now a law professor at George Washington University. "The problem with Facebook writing a check is that it’s the cost of doing business and not a deterrent."

In 2011, Facebook and the FTC reached an agreement in which the social media company promised to clean up its act, after a history of "unfair and deceptive" data collection practices. This week, Facebook warned investors that it could be fined up to $5 billion for breaking that agreement. The company, which posted revenues of $55.8 billion in 2018, would also be subject to ongoing oversight by the FTC, but the full extent of that control remains unclear.

Consumer advocates are skeptical that the FTC, which would levy the multibillion-dollar fine, could compel Facebook to make meaningful changes in the way it handles consumer data.

"Ideally, Facebook would be prevented from tracking what users do off Facebook—that's the biggest privacy problem with the platform. But I doubt the FTC thinks they have the legal capacity to enjoin Facebook from doing that," says Justin Brookman, director of privacy and technology policy for Consumer Reports. "More realistically, the [FTC] order will just order more controls around sharing the personal data of users with third-party apps, which is what led to the Cambridge Analytica scandal."

But as Brookman points out, Facebook already seems to be moving away from that kind of data sharing. "It's not really going to be that big a deal for them," he says.

Before joining CR, Brookman served as policy director of the FTC’s Office of Technology Research and Investigation.

"The FTC is not equipped to deal with Facebook," he says. "The FTC can stop some bad practices at the margins, but fundamentally they don't have the power to rein in Facebook's worst abuses."

Facebook did not respond to a request for comment on the potential fine.

More on Facebook

The FTC has been investigating possible violations of the 2011 agreement for more than a year, ever since the Cambridge Analytica scandal broke in March 2018, when consumers learned that the personal data of 87 million Facebook users had been misused by a political consulting company.

Multiple privacy missteps by Facebook have been revealed since then. These include an October 2018 data breach, a Facebook bug that let developers improperly download user photos, news that Facebook let children amass credit card bills on the site, and recent federal charges against the company for alleged violations of the Fair Housing Act.

Christine Bannan, consumer protection counsel of the Electronic Privacy Information Center (EPIC), says that "a fine is not enough to enforce the consent order, because it will not reform Facebook's business practices."

Kovacic, who oversaw the FTC when the 2011 consent decree was crafted, says the agency should demand a satisfactory plan of action for preventing future issues. "As part of these negotiations, I would want [from Facebook] a convincing explanation of how you're going to solve this problem of safeguarding user data."

Speculation over the size of a potential fine has swirled around Washington, D.C., for weeks, with guesses ranging from the billions of dollars down to zero. Facebook floated the $5 billion figure in financial reporting documents released this week.

A fine that size would be the biggest ever levied by the FTC in a digital privacy case, hurtling past a $22.5 million fine imposed on Google in 2012.

The Agreement Facebook Made in 2011

The FTC investigation is seeking to determine whether Facebook violated its 2011 consent decree over "unfair and deceptive" claims in which it promised consumers that they could keep their information private.

Under the terms of the consent decree, Facebook was:

  • barred from making misrepresentations about the privacy or security of consumers' personal information;
  • required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

"The previous order failed," says former FTC head Kovacic. "The monitoring mechanism turned out to not be effective."

Editor's Note: This article was updated to add information that Facebook has not responded to a request for comment.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed.