It’s been a rough few weeks for Mark Zuckerberg’s social media empire. Recent fines could represent important new precedents in how regulators approach online privacy issues. Facebook agreed to a record $5 billion settlement with the Federal Trade Commission. The deal also requires structural reforms within the Facebook organization aimed at increasing oversight of privacy-related decision making. The tech giant also agreed to a $100 million settlement with the Securities and Exchange Commission. The SEC focused on privacy disclosures related to the Cambridge Analytica scandal. This settlement was particularly noteworthy because unlike the SEC’s recent settlement with Altaba (formerly Yahoo), Facebook’s privacy problems did not involve a hack. Instead, Facebook misled investors regarding a third-party developer’s improper data transfer. Facebook’s proposed “Libra” cryptocurrency was likewise met with skepticism from both activists and regulators.
Facebook also faces various lawsuits in Europe in connection with alleged General Data Protection Regulation (GDPR) violations. Most notably, privacy activist Max Schrems continues to make steady progress with an Austrian class-action suit. The Irish Supreme Court also dismissed Facebook’s attempt to block a similar action earlier this year.
FTC Levies Historic Fine
$5 billion is a considerable amount of money, even for a tech colossus like Facebook. Nonetheless, this hasn’t stopped some critics from suggesting the FTC should have done more. In addition to the historic fine, the company also agreed to establish an independent board-level privacy committee to limit Zuckerberg’s “unfettered control” over privacy decisions. The FTC cited problems with how Facebook handled the Cambridge Analytica scandal, as well as failing to inform users of privacy threats posed by facial recognition technology. On the other hand, Facebook wasn’t required to admit any liability and the agreement released Zuckerberg and Facebook’s officers from liability.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” explained FTC Chairman Joe Simons. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
Facebook boasts almost 2.4 billion monthly active users as of early 2019. The $5 billion settlement equals 9% of Facebook’s 2018 revenue. According to the FTC, it’s also almost 20 times greater than the largest privacy or data security penalty ever handed down.
Not everyone felt the FTC’s actions went far enough. The Electronic Privacy Information Center says the FTC should have acted more decisively and wants to see the establishment of a new data protection agency. “The FTC’s action is too little, too late,” according to EPIC President Marc Rotenberg.
ACLU senior legislative counsel Neema Singh Guliani was likewise unsatisfied, calling the settlement, “woefully inadequate.” Guliana also wants to see broader federal privacy protection legislation. “While there is no way to adequately provide restitution to the over 87 million people whose rights were violated, this settlement doesn’t even come close to preventing such violations from occurring again.”
The FTC wasn’t the only regulator to punish Facebook for privacy violations this summer. The Securities and Exchange Commission reached a $100 million settlement for claims related to misleading statements the company made to investors. While much smaller in size than the FTC settlement, the agreement is notable because it did not technically involve a hack or data breach. Instead, the tech giant characterized claims user data was misused “merely hypothetical” when it knew the allegations were factual.
“Public companies must accurately describe the material risks to their business,” SEC enforcement division co-director Stephanie Avakian announced. “As alleged in our complaint, Facebook presented the risk of misuse as hypothetical when they knew user data had in fact been misused.”
The locus of the SEC settlement were statements Facebook made during the Cambridge Analytica scandal. Facebook denied the rumors of the misuse of user data until it learned newspapers were preparing to publish the details in March 2018. This caused Facebook stock to plummet approximately 15% in just one week. Facebook is also facing an assortment of shareholder actions.
Facebook hoped it would make headlines this summer for its Libra cryptocurrency plan. Instead, the company has made headlines for all the wrong reasons. What’s more, Libra has been met with criticism and skepticism by both privacy activists and regulatory bodies.
As the public becomes increasingly concerned about data privacy, it seems clear businesses will be expected to do more than merely report breaches or update their privacy policies. It remains to be seen to what extent the CCPA might be amended or whether Congress will enact sweeping federal privacy legislation.
Facebook, once ascendant and seemingly unstoppable, may have a larger problem on its hands than fines, settlements, and increased regulatory scrutiny. Some studies suggest up to 25% of Americans have deleted their profiles. Other studies document the declining relevance of Facebook for younger users.
Although Facebook seems increasingly out of touch with the expectations of both regulators and consumers, the company is far from finished. Facebook is also the owner of both WhatsApp and Instagram, the fastest growing social media platform in the world. Then again, the FTC just announced its investigation into these acquisitions for anti-trust violations.
Facebook still has friends, but it’s losing them fast.