Penalties for privacy violations are rare
But FTC could force Facebook to pay millions
SAN FRANCISCO – If Facebook has to pay a Federal Trade Commission penalty for the Cambridge Analytica data scandal, it will join a very short list of companies to have done so.
Of 91 cases involving online privacy issues the Federal Trade Commission has brought since the first in 1998, just two companies have paid civil penalties specifically for violating adult users’ privacy, a USA TODAY analysis of FTC data shows.
They are Google, which paid $22.5 million in 2012, and Upromise, which paid $500,000 in 2017.
Because it already is under an FTC settlement — the first step to incurring a penalty — Facebook risks becoming one of the rare cases where it could pay out for a privacy violation, a rap that could total millions of dollars.
Broken promises
Constraints on the FTC when it comes to policing consumers’ privacy rights mean few companies have suffered financial penalties for privacy violations.
The United States does not have a specific law against privacy breaches. The FTC, a government watchdog agency, can bring an action against a company only if it promised to protect customers’ privacy and then didn’t live up to its vow, or if the company violated specific rules protecting the privacy of children or credit reporting. In a few cases it has also demanded companies pay back money obtained fraudulently.
When children or credit reporting aren’t involved, it can’t extract monetary penalties unless a company has already reached a settlement with the commission for breaching privacy promises and then is found to have violated the settlement. If a company refused to reach a settlement, the FTC could take legal action and potentially demand penalties immediately.
Facebook had its “first strike” in 2011 when the FTC found it deceived consumers by telling them they could keep their information on Facebook private and then repeatedly allowed it to be shared and made public, the FTC says.
The company agreed to a consent decree that barred it from making misrepresentations about the privacy or security of consumers’ personal information, required it to ask users to agree before enacting changes that override their privacy preferences and prevented it from letting anyone access a user’s material more than 30 days after the user has deleted his or her account.
In addition, Facebook was required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services. It also had to produce independent, thirdparty audits of that privacy program every two years for the next 20 years.
Cambridge Analytica starts probe
Last month, on the eve of two explosive newspaper investigations, Face- book disclosed that it knew in 2015 that nearly 300,000 Facebook users who had downloaded a personality quiz app called This Is Your Digital Life had their information shared with Cambridge Analytica without their consent. Since Facebook had previously allowed developers to access friends of the users of an app, that number multiplied to 87 million, Facebook says. It was only this month that Facebook started to alert individual users that their data had been improperly harvested.
The FTC is now investigating whether Facebook has violated the decree. If the FTC finds it does, that could lead to civil penalties of as much as $16,000 for each violation of the order.
Facebook CEO Mark Zuckerberg doesn’t think it will come to that.
In his testimony before Congress last week, he said “it certainly appears that we should have been aware that this app developer submitted a term that was in conflict with the rules of the platform.”
But when asked whether the incident amounted to a violation of the FTC settlement, Zuckerberg said no.
“My understanding is that — is not that this was a violation of the consent decree,” he said.
Google’s $22.5 million penalty
If Facebook does end up paying, it will become just the third company guilty of this kind of violation to be forced to do so.
In the majority of cases the FTC has brought against companies for online privacy issues — 49 of 91— the commission couldn’t ask for money. Instead it reached a non-monetary settlement agreement with the companies, essentially a “first strike.” Should those companies get a second strike, they could be subject to a financial penalty.
The settlements require them to implement a comprehensive privacy program and generally obtain regular, independent audits. Usually the company must file a report every two years for 20 years after the settlement, as Facebook has been.
Money from civil penalties only comes into play when a company has breached its “first strike” settlement agreement, which both Google and Upromise did. At that point the FTC can hit the company with penalties.
Google’s $22.5 million was the largest amount paid so far, from a 2012 com- mission finding that the company misrepresented to users of the Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users.
That violated a 2011 settlement order the FTC had with the company over Google’s Buzz social network that was part of Gmail.
In the Upromise case, which cost it $500,000, the FTC found in 2017 that the company didn’t disclose to consumers the full extent of the data it collected about them or how it used that data.
This violated a 2012 agreement the FTC had with the membership reward service, which was aimed at consumers trying to save money for college.
There has been one case in which a seeming second strike didn’t result in a payout. Last week, the FTC strengthened its settlement with Uber over a 2016 breach in which tens of millions of Uber riders’ and drivers’ data was accessed, without adding civil penalties.
Were users deceived?
In Facebook’s case, FTC commissioners now must determine whether the company did indeed violate the terms of its settlement.
Experts don’t agree on what that outcome might be.
“One has to make an argument that consumers were deceived about friend information sharing, and that’s a difficult point to prove,” said Chris Hoofnagle, a law professor a the University of California at Berkeley and author of Federal Trade Commission Privacy Law and Policy.
Others say there’s no question Facebook will be dinged.
“This has got to be about the easiest case ever presented to the FTC,” said Marc Rotenberg, executive director of the non-profit Electronic Privacy Information Center in Washington. EPIC pushed the FTC to include privacy in its purview in 1995 and sued the agency in 2012 for not enforcing the order against Facebook.
He expects Facebook’s penalty will be $100 million to $200 million and will take between three months and a year to be issued.
In many ways, money will be the least of Facebook’s concerns, said William Kovacic, a law professor and privacy expert at George Washington University.
With a market capitalization of
$485 billion, even hundreds of millions of dollars is just a rounding error for Facebook. Far more damaging could be a new settlement the FTC might bring against the company, one that imposes even stronger conditions on how it can treat users’ data — and make money from it — in the future.
In his testimony before Congress last week, Zuckerberg said, “We need to take a broader view of our responsibility around privacy than just what is mandated in the current law.”
“The FTC might say, ‘ You better believe it,’ ” said Kovacic, who chaired the FTC from 2008 to 2009.
As the FTC gets a better handle on the extent of data collection and use by such sites, it could begin to do more on privacy enforcement than it has in the past.
“I think this is just a beginning of a long and animated debate about privacy,” said Stephen Calkins, a law professor at Wayne State University Law School. He served as general counsel for the Federal Trade Commission from
1995 to 1997.