Nearly a year after announcing an investigation into the incident, the FTC is negotiating with Facebook over a fine that could be billions of dollars, according to multiple people familiar with the probe who spoke on the condition of anonymity last week because they were not authorized to discuss the issues. Experts say the government has to seize on the opportunity to send a message — to Facebook and its peers — that it hears consumers’ frustrations and is willing to challenge the tech industry’s data-collection practices.
“The Facebook inquiry is a basic test of the credibility of the FTC to be an effective privacy enforcement agency,” said William Kovacic, a former Republican commissioner who teaches at George Washington University. “Anything other than a significant penalty will be seen as a form of policy failure and will really impede the agency’s ability to function in the future.”
The FTC declined to comment. Facebook also declined to comment.
Under an eight-year-old agreement, brokered between the FTC and Facebook, the social-networking giant promised to be a better steward of its users' personal information. Facebook also pledged to submit to two decades of regular privacy checkups from a third-party watchdog. Violations open the door for the FTC to impose fines or other requirements on Facebook. Agency leaders secured similar settlements with Google and Twitter in recent years for their own privacy and security mishaps, hailing them at the time as the government’s best efforts to keep Silicon Valley in line.
But some critics contend the FTC has been too forgiving with companies that violate its legal agreements to protect users’ privacy. When the FTC charged Google with tracking some Web users without their knowledge in 2011, for example, the agency issued a $22.5 million fine — a record for a violation that initially drew sharp criticism for being too small. With Facebook, privacy advocates say that the FTC has failed to probe then penalize the company despite nearly a decade of controversies involving consumers’ data.
That the commission hasn’t found a single violation committed by Facebook over that period is “beyond belief, particularly at a time when so many users are feeling their privacy is being violated and the company’s practices are unfair,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, known as EPIC.
The consumer group brought the initial complaint that led to the FTC’s 2011 settlement with Facebook. Last month, Rotenberg again took aim, leading seven other advocacy organizations in calling on the FTC to consider imposing a fine into the billions of dollars, along with more federal oversight of Facebook. They’ve sought punishment in response to Facebook’s entanglement with Cambridge Analytica, a political consultancy that improperly accessed social data on users to target them with political messages. Facebook previously has said it has not violated its 2011 agreement with the FTC.
Even if the FTC can’t broker an agreement with Facebook over fines and other punishments, privacy advocates have urged the agency to stand its ground — and take the company to court.
“The FTC is speaking to the whole industry in what it does here. Its audience is well beyond Facebook and that company's customers. It’s to the whole world and the entire tech industry, that finally it means business in protecting privacy,” said Sen. Richard Blumenthal (D-Conn.).
Such a legal war could prove brutal for both sides, pitting an agency with limited staff and a meager $306 million budget against a corporate behemoth that took in $55.8 billion in revenue just last year. Adding to the pressure, the FTC generally runs the risk that an adverse court ruling in a landmark case could jeopardize the very nature of the agency’s authorities to police companies for privacy and security breaches.
“The last few years have seen the FTC get a series of black eyes in court, as courts have been reluctant to rubber-stamp the agency’s conduct,” said Gerry Stegmaier, a partner at the law firm Reed Smith. “So the agency has a difficult task because, on the one hand, they have very broad authority they use creatively, and they deserve a lot of credit for that, but if they overstep, courts increasingly are showing a willingness to draw a line and stop them in their tracks.”
The U.S. approach to Facebook stands in stark contrast to that of Europe, where regulators have scrutinized Silicon Valley and regularly brought fines against Facebook, Google and others that have misled Web users or mishandled their information. On Sunday, British lawmakers accused Facebook of “intentionally and knowingly” violating privacy and antitrust laws and recommended sweeping probes into the company. They also urged the FTC to penalize Facebook.
Last year, the European Union also began implementing tough data-protection rules that carry steep fines for serial abusers. Months after the General Data Protection Regulation went into effect, French officials brought their first fine against Google for failing to give consumers adequate information about its data-collection practices.
The United States, meanwhile, lacks a national consumer privacy law. With the FTC serving as the country’s de facto privacy cop, experts said it faces additional pressure to use its enforcement powers in the absence of regulation.
“It’s a shame so much weight is put on this,” said Michelle Richardson, the director of the privacy and data project at the Center for Democracy & Technology, an advocacy group and think tank in Washington. “It’s an example of why privacy legislation is needed. So much doesn’t have to ride on these individual enforcement cases."