Federal Trade Commission staff assessing whether social media giant Facebook violated a legally binding user privacy agreement with the agency are considering slapping the company with a “record-setting fine,” the Washington Post reported Friday, citing “three people familiar with the deliberations but not authorized to speak on the record.”
At issue is whether Facebook violated a 2011 deal with the FTC, known as a “consent decree,” that required the company to notify and obtain explicit opt-in consent from users before sharing their data beyond their selected privacy settings. It also required Facebook to notify the FTC of cases in which data was misused, as well as prohibited it from “from making misrepresentations about the privacy or security of consumers’ personal information.”
In early 2018, it was revealed that Facebook had allowed an app developer working with the (extremely sketchy) Cambridge Analytica political firm to download data on millions of users, and then did very little to get it back. Former FTC Bureau of Consumer Protection director David Vladeck told the Post the incident raised “serious questions about compliance.” Facebook’s list of scandals, many of them having to do with reckless handling of user data, has kept growing since.
In theory, the FTC could fine Facebook up to $40,000 per violation, though with tens of millions of users affected by the breach, that would run into the trillions. According to the Post, the fine under discussion is more modest but would still dwarf a prior fine of $22.5 million the FTC slapped Google with in 2012.
The FTC has not finalized any decision, the paper wrote:
The FTC’s exact findings in its Facebook investigation and the total amount of the fine, which the agency’s five commissioners have discussed at a private meeting in recent weeks, have not been finalized, two of the people said. Staff has briefed the commissioners about their probe, the third person said, and plan to issue a formal recommendation for a fine soon — a move that would then trigger a vote by the commissioners.
Facebook also has talked with FTC staffers about the investigation, one of the people familiar with the probe said, but it is unclear whether the company would settle with the FTC by accepting a significant financial penalty.
However, the Cambridge Analytica incident was not isolated but the result of site policy that was not changed until the years 2014-2015, when Facebook shut down programs allowing app developers extensive, bulk access to user data. As such, the FTC may determine that Facebook was sharing user data in violation of the consent decree as a routine business practice. According to the Post, two sources told them that additional fines could follow “related to Facebook’s data-sharing agreements with smartphone and TV device-makers, banks and other major businesses and a full roster of third-party apps.”
News of the possible fine was confirmed by the New York Times, which noted that FTC chair Joseph J. Simons has ordered staff not to leak details to the media and that the investigation is being slowed by the ongoing government shutdown.
Nothing is set in stone, and the FTC commissioners sometimes disregard the advice of staff when making decisions. But if the FTC does come down hard on Facebook, it would be a major blow: The company is already reeling from a wave of media and political criticism, while user trust has plummeted. A recent Pew Research Center survey found that users are largely confused about how Facebook categorizes them for advertising purposes, with slightly over half saying they were “not very or not at all comfortable” with the conclusions Facebook had reached about their interests.
Such a decision would also mark a significant escalation in terms of official consequences. While Facebook and government officials in the UK, where Cambridge Analytica was headquartered, have been feuding for months, the UK’s Information Commissioner’s Office was only able to hit the company with a $645,000 fine—less than the company makes in ten minutes.