FIVE BILLION is a big number, but Facebook is a big company. The Federal Trade Commission announced a $5 billion fine against the Silicon Valley giant this week for its violation of an eight-year-old privacy agreement. Critics have pointed out that the money is mere pocket change to a firm of Facebook’s size. But the fine is not the problem, nor are the other remedies the FTC has imposed. The problem is that the nation lacks a strong privacy law, and Congress is sitting on its hands.
Though the penalty Facebook will pay is more than 200 times the size of the next-largest fine that the FTC has ever levied against a technology company, the social media behemoth brought in more than $55 billion in revenue last year — which helps explain why investors celebrated initial reports of the settlement by sending Facebook’s stock soaring. Chief executive Mark Zuckerberg, who owns most of Facebook’s shareholder voting rights, actually made money the day the news broke. But if $5 billion will not stop Facebook, what would? And should a fine’s size really be guided by what will make a company really hurt?
Unfortunately, the FTC’s remedies beyond money mostly amount to more paperwork for Facebook to fill out as it continues to suck up users’ information for the lucrative targeted advertising business that allows it to shrug off massive fines in the first place. Facebook henceforth will have to document how it will handle data every time it develops a product, as well as more strictly monitor what third parties do with user information. The government also will have access to an outside organization’s audits of Facebook’s practices, along with the company’s own certifications, signed by Mr. Zuckerberg, that it is on good behavior.
But explicit restrictions on Facebook’s data collection and processing only cover specific malpractices from the past, such as gathering phone numbers for security and repurposing them for advertising, or sneakily applying facial-recognition technology. Broader limits on using information ostensibly gathered for one reason for another altogether, or combining data from across the Web to create profiles for targeted advertising, aren’t part of the agreement. The agency also let Facebook off the hook for transgressions known or unknown that it has already committed.
The FTC considered tougher punishments, The Post’s Tony Romm has reported — and the two Democratic commissioners who voted against the deal are especially dismayed their agency failed to hold Mr. Zuckerberg personally accountable. But enforcers’ jobs are made much more difficult when there’s no real law to enforce. The restrictions that Facebook’s most strident skeptics in Congress wish the FTC had imposed — ones that put the burden on the company to collect and protect information responsibly and in accordance with user expectations — are the same ones they could apply to all companies that play loose with Americans’ data.
Legislators have been promising a comprehensive bipartisan privacy bill all year, yet the summer recess is approaching without a draft in sight. There is plenty of reason to be dissatisfied with the government’s half-hearted efforts to hold technology companies to account. But in that case, lawmakers should be especially dissatisfied with themselves.