USA TODAY International Edition
Penalties for privacy violations are rare
Yet FTC could make Facebook pay millions
SAN FRANCISCO – If Facebook has to pay a Federal Trade Commission penalty for the Cambridge Analytica data scandal, it will join a very short list of companies to have done so.
Of 91 cases involving online privacy issues the Federal Trade Commission has brought since the first in 1998, just two companies have paid civil penalties specifically for violating adult users’ privacy, a USA TODAY analysis of FTC data shows.
They are Google, which paid $22.5 million in 2012 and Upromise, which paid $500,000 in 2017.
Because it’s already under an FTC settlement — the first step to incurring a penalty — Facebook risks becoming one of the rare cases where it could pay out for a privacy violation, a rap that could total in the millions of dollars.
Broken promises
The constraints on the FTC when it comes to policing consumers’ privacy rights means few companies have suffered financial penalties for privacy violations of adults.
The United States does not have a specific law against privacy breaches. The FTC, a government watchdog agency, can bring an action against a company only if it promised to protect customers’ privacy and then didn’t live up to its vow, or if the company violated specific rules protecting the privacy of children or credit reporting. In a few cases it has demanded companies pay back money obtained fraudulently.
When children or credit reporting aren’t involved, it can’t extract monetary penalties unless a company has
already reached a settlement with the commission for breaching privacy promises, and then finds the company violated the settlement. If a company refused to reach a settlement, the FTC could take legal action and potentially demand penalties immediately.
Facebook had its “first strike” in 2011 when the FTC found it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowed it to be shared and made public, according to the FTC.
It agreed to a consent decree that barred it from making misrepresentations about the privacy or security of consumers’ personal information, required it to ask users to agree before enacting changes that override their privacy preferences and prevented it from letting anyone access a user’s material more than 30 days after the user has deleted his or her account.
In addition, Facebook was required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services. It also had to produce independent, third-party audits of that privacy program every two years for the next 20 years.
Cambridge Analytica triggers a probe
Last month, on the eve of two explosive newspaper investigations, Facebook disclosed that it knew in 2015 that nearly 300,000 Facebook users who had downloaded a personality quiz app called This Is Your Digital Life had their information shared with Cambridge Analytica. Facebook failed to alert individual users that their data had been improperly harvested until this month.
The FTC is now investigating whether allowing the personal information of 87 million users to be accessed by political ad targeting firm Cambridge Analytica, without their consent, constitutes a violation of that decree. If the FTC finds it does, that could lead to civil penalties of as much as $16,000 for each violation of the order.
Facebook CEO Mark Zuckerberg doesn’t think it will come to that.
In his testimony before Congress last week, he said “it certainly appears that we should have been aware that this app developer submitted a term that was in conflict with the rules of the platform.”
But when asked whether the incident amounted to a violation of the FTC settlement, Zuckerberg said no.
“My understanding is that — is not that this was a violation of the consent decree,” he said.
Google’s $22.5 million penalty
If Facebook does end up paying, it will become just the third company guilty of this kind of violation to be forced to do so. In the majority of cases the FTC has brought against companies for online privacy issues — 49 of 91— the commission couldn’t ask for money. Instead it reached a non-monetary settlement agreement with the companies, essentially a “first strike.” Should those companies get a second strike, they could be subject to a monetary penalty.
The settlements require them to implement a comprehensive privacy program and generally obtain regular, independent audits. Usually the company must file a report every two years for 20 years after the settlement, as Facebook has been.
Money from civil penalties only comes into play when a company has breached its “first strike” settlement agreement, which both Google and Upromise did. At that point the FTC can hit the company with penalties.
Google paid out the largest amount so far, $22.5 million, from a 2012 commission finding that the company misrepresented to users of the Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users.
That violated a 2011 settlement order the FTC had with the company over Google’s Buzz social network that was part of Gmail.
In the Upromise case, which cost it $500,000, the FTC found in 2017 that the company didn’t disclose to consumers the full extent of the data it collected about them or how it used that data.
This violated a 2012 agreement the FTC had with the membership reward service, which was aimed at consumers trying to save money for college.
There has been one case in which a seeming second strike didn’t result in a payout. Last week the FTC strengthened its settlement with Uber over a 2016 breach in which tens of millions of Uber riders and drivers’ data was accessed, without adding civil penalties.
If the FTC finds a violation of the consent decree, that could lead to civil penalties of as much as $16,000 for each violation of the order.