A Record FTC Fine Won't Fix Facebook, Privacy Experts Say
Facebook needs to make lasting changes in how it collects and uses data. Regulators have limited power to force reforms.
A potential $5 billion fine against Facebook for failing to keep consumer data private would probably not improve the way the social media giant collects and handles user information, some privacy experts and consumer advocates say.
"A billion isn't what it used to be," says former Federal Trade Commission chair William E. Kovacic, now a law professor at George Washington University. "The problem with Facebook writing a check is that it’s the cost of doing business and not a deterrent."
In 2011, Facebook and the FTC reached an agreement in which the social media company promised to clean up its act, after a history of "unfair and deceptive" data collection practices. This week, Facebook warned investors that it could be fined up to $5 billion for breaking that agreement. The company, which posted revenues of $55.8 billion in 2018, would also be subject to ongoing oversight by the FTC, but the full extent of that control remains unclear.
Consumer advocates are skeptical that the FTC, which would levy the multibillion-dollar fine, could compel Facebook to make meaningful changes in the way it handles consumer data.
"Ideally, Facebook would be prevented from tracking what users do off Facebook—that's the biggest privacy problem with the platform. But I doubt the FTC thinks they have the legal capacity to enjoin Facebook from doing that," says Justin Brookman, director of privacy and technology policy for Consumer Reports. "More realistically, the [FTC] order will just order more controls around sharing the personal data of users with third-party apps, which is what led to the Cambridge Analytica scandal."
But as Brookman points out, Facebook already seems to be moving away from that kind of data sharing. "It's not really going to be that big a deal for them," he says.
Before joining CR, Brookman served as policy director of the FTC’s Office of Technology Research and Investigation.
"The FTC is not equipped to deal with Facebook," he says. "The FTC can stop some bad practices at the margins, but fundamentally they don't have the power to rein in Facebook's worst abuses."
Facebook did not respond to a request for comment on the potential fine.
The Agreement Facebook Made in 2011
The FTC investigation is seeking to determine whether Facebook violated its 2011 consent decree over "unfair and deceptive" claims in which it promised consumers that they could keep their information private.
Under the terms of the consent decree, Facebook was:
- barred from making misrepresentations about the privacy or security of consumers' personal information;
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
"The previous order failed," says former FTC head Kovacic. "The monitoring mechanism turned out to not be effective."
Editor's Note: This article was updated to add information that Facebook has not responded to a request for comment.