Facebook fine disappoints

“These changes go beyond anything required under U.S. law today,” Zuckerberg wrote in a Facebook post afterward, noting that he and the officers would periodically have to certify the firm’s compliance to the FTC. “The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.”

But Charlotte Slaiman, competition policy counsel at nonprofit internet advocacy group Public Knowledge, faults the agreement for not specifying what privacy practices and standards Facebook would add or alter.

It “was a lost opportunity,” she said. “The settlement could have directly said what Facebook is going to change, and instead we’re hoping that Facebook is going to change because of this new committee and reporting requirements.”

While the settlement’s terms were designed to boost accountability, they are “not sufficient to really protect consumers,” said Slaiman, who was looking for changes to the way Facebook employs, collects, and shares user data, as well as mechanisms that allow other firms to compete. “Leaving Facebook with the right and responsibility to make all of these decisions isn’t going to help with that at all.”

The agreement, which extends for 20 years, will involve more than 1,000 people throughout the Menlo Park, California-based company, Zuckerberg has said. Facebook must boost oversight of third-party apps and is barred from using telephone numbers it obtained to enable a security feature for advertising. It’s also required to establish a comprehensive data security program and encrypt user passwords.

Some of those requirements make the deal a win for Facebook because they will discourage rivals, said Alex Stamos, the former Facebook chief security officer who left last year.

“The real threat to the tech giants is competition, not regulation, and everybody is missing what really happened,” he said in a series of tweets. “Facebook paid the FTC $5B for a letter that says ‘You never again have to create mechanisms that could facilitate competition.’”

As for the fine, it represents only a fraction of Facebook’s $16.9 billion in sales in the three months through June, and that’s just one quarter. The disparity wasn’t lost on Capitol Hill, where lawmakers have grilled company executives repeatedly over the past year.

Rep. David Cicilline, a Rhode Island Democrat and fierce critic of Silicon Valley, called the penalty an early Christmas present for Facebook that was effectively a “slap on the wrist.”

Democratic Sen. Ed Markey of Massachusetts said the company is “getting away with some of the most egregious corporate bad behavior in the age of the Internet” and doubted the settlement would lead to any substantive changes.

“The monetary penalty in this decision fails to deter future bad behavior, and this settlement is also notably deficient in its lack of new safeguards that would effectively prohibit similar privacy violations in the future,” he said. “The new rules placed on Facebook in this consent decree fail to systematically change Facebook’s internal infrastructure and put a stop to its privacy malpractice once and for all.”

Berin Szóka, president of the technology policy think tank TechFreedom, has a different concern about the fine: It’s “arbitrary,” he said, since the agency didn’t provide a clear basis for how it arrived at the penalty.

“It’s easy for someone to say you should’ve gotten” more, he said, “but they need to weigh what they can get in these negotiations versus what they can get if they litigated.”

The settlement was the result of a year-long investigation into claims the company violated a 2012 consent decree through deceptive practices that left users unaware it was sharing their data with third-party apps.

Among the matters reviewed was the harvesting of personal information from 87 million Facebook users by Cambridge Analytica, a political consulting company that worked for Donald Trump’s 2016 presidential campaign. Subsequent breaches included a hack disclosed in September that exposed the personal information of roughly 50 million users and another discovered in April that involved more than 540 million records from accountholders.

While Facebook has remained financially strong so far, with 28% sales growth in the second quarter and $48.6 billion in cash and marketable securities on hand, there are more challenges ahead.

The company said this month that it also faces an antitrust investigation from the FTC, and it may be among “market-leading online platforms” ensnared in a sweeping antitrust review by the Justice Department.

Both could subject Facebook to additional regulatory pressure and come alongside a push by lawmakers for federal privacy legislation. Zuckerberg himself has advocated for a nationwide framework, which Silicon Valley hopes might preempt stricter state measures, including a law in California that is similar to Europe’s General Data Protection Regulation.

Such legislation is “necessary to strengthen the FTC’s authorities and give it more enforcement tools and resources so that violating consumers’ privacy and breaking public trust isn’t just the cost of doing business,” said Rep. Frank Pallone, the New Jersey Democrat who chairs the House Energy and Commerce Committee.

Szóka, too, believes there is a role for Congress but wants lawmakers to establish clear principles governing the FTC’s ability to set fines.

Absent those instructions, Szóka said, smaller companies could suffer more because they have less financial flexibility.

“Only wealthy people play high-risk poker, so that’s the kind of environment that we’re dealing with,” he said. “The point is the arbitrariness of the enforcement that’s the problem because there’s no way for a smaller company to take comfort. They can’t just say, ‘We’re smaller so we won’t face that risk.’ You have no way of knowing.”