The FTC’s Biggest Fish

In recent years the large social media company, Facebook has gained significant media coverage for all the wrong reasons. From privacy violations to negligence, Facebook has been put through the ringer countless times across thousands of media outlets spread all over the globe; in the last two years of which, four massive data breeches alone have occurred. However, it’s not these breeches that will cement Facebook’s misfortune in the history books. The Cambridge Analytia scandal surpasses all the other incidents in sheer media coverage and to this day will go down in history as the largest fine the FTC (Federal Trade Commission) has ever levied. To understand how Facebook, Inc. ended up paying out a five billion dollar settlement we need to go back to 2012.

On August 10^th, 2012 the FTC finalized a direct order forcing Facebook to obtain consumers’ consent before sharing their information beyond established privacy settings. In short, the order required Facebooks to take several steps in order to fulfill its promise to its users now and in the future:

1. “Giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings.”
2. “Maintaining a comprehensive privacy program to protect consumers’ information.”
3. “Obtaining biennial privacy audits from an independent third party.”

(FTC, 2012)

By providing these rules, the FTC very clearly set the bar for what measures they expected such a large company in charge of millions of user’s data to have in place. As Jon Leibowitz, Chairman of the FTC in the case against Google in 2012,  “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.” And this is exactly what ended up happening.

            Eight years later the FTC was forced to launch a deep investigation into Facebook’s handling of user data after a researcher broke the news that the British based political consulting firm, Cambridge Analytica had access to 87 million Facebook user’s data, most of whom did not give explicit consent. In violation of its 2012 orders the FTC found that Facebook:

1. “Failed to disclose that even when users chose the most restrictive sharing settings, Facebook could still share user information with the apps of the user’s Facebook friends—unless they also went to the “Apps Settings Page” and opted out of such sharing. The FTC alleges the company did not disclose anywhere on the Privacy Settings page or the “About” section of the profile page that Facebook could still share information with third-party developers on the Facebook platform about an app users Facebook friends.”
2. “Violated the FTC Act’s prohibition against deceptive practices when it told users it would collect their phone numbers to enable a security feature, but did not disclose that it also used those numbers for advertising purposes.”
3. Upon, “[learning] that app developers were violating Facebook’s terms, Facebook’s enforcement action was often influenced by how much advertising money the app developer spent with Facebook.”
4. “Took inadequate steps to deal with apps that it knew were violating its platform policies.”

(FTC, 2019)

Among other facial recognition and data protection issues the data that third-parts apps had access to, “included the news and books they were reading, their relationship details, their religious and political views, their work history, their photos, and the videos they watched” (Fair, 2019). For a more in-depth review of violations, see [3].

            The results of this investigation were that in addition to the five billion dollar fine Facebook and its subsidiaries, Instagram and WhatsApp, were required to follow strict review guidelines and implement a dedicated internal privacy program consisting of compliance officers that CEO Mark Zuckerberg, nor any other single employee of Facebook, can appoint or remove. Additionally:

1. “Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data.”
2. “Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising.”
3. “Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users.”
4. “Facebook must establish, implement, and maintain a comprehensive data security program.”
5. “Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext.”
6. “Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.”

(FTC, 2019)

In the end, it’s disappointing that such as large company could not comply nor feel the need to implement such basic features that most people would agree should be standard across all platforms. The fact that the FTC must check in on, babysit if you will, a multi-billion dollar company, for the next 20 years, is simply ridiculous. That a multi-national need to be watched such that, “anytime Facebook makes a privacy decision; multiple independent watchdogs will be looking over its shoulder” (Fair, 2019).

            A lot of debate has come up over this number as well. However, the consensus seems to agree that this five billion number is too small. As many people point out, five billion is only three months’ worth of revenue for a cooperation that large, a slap on the wrist if you will. It’s worrisome to see that such large companies like Facebook and Google can just brush off theses large fines and walk away unscathed. Maybe GDPR’s 4% fine is more reasonable, maybe it’s still too small for companies of this scale. Maybe it should be based on how large a company really is, or how much their profits are; either way it seems like experts and politicians alike can’t seem to come up with a good answer for outliers like this. And maybe they don’t have to, as more and more people seem to value their data protection and privacy, the consensus of users may force these large companies to change their business practices else face irrelevancy and even heftier fines. Only time will tell, but as for the past, Facebook’s fine still holds the FTC’s record, may it increase or to never happen again.

[1] Fair, L. (2019, July 24). FTC’s $5 billion Facebook settlement: Record-breaking and history-making. Federal Trade Commission. https://www.ftc.gov/news-events/blogs/business-blog/2019/07/ftcs-5-billion-facebook-settlement-record-breaking-history

[2] FTC. (2012, August 10). FTC approves final settlement with Facebook (FTC File No. 092-3184). Federal Trade Commission. https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-final-settlement-facebook [3] FTC. (2019, July 24). FTC imposes $5 billion penalty and sweeping new privacy restrictions on Facebook. Federal Trade Commission. https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions