WASHINGTON D.C. — Today the FTC announced that it had voted 3-2 along party lines to approve a $5 billion settlement over Facebook’s handling of Cambridge Analytica’s misuse of user data to influence the 2016 election. The agreement also lays out an elaborate, expensive compliance program for Facebook. The previous record for the largest fine imposed for violation of an FTC consent decree was $22.5 million — a privacy case involving Google in 2012.
Democratic Commissioners Rohit Chopra and Kelly Slaughter argued that the fine was too small, that the FTC should have sought to hold Facebook CEO and founder Mark Zuckerberg personally liable, and that an even tougher compliance program should have been required. The Republican majority defended the compliance program and questioned, more than a dozen times in eight pages, whether the FTC could have obtained better relief for consumers if the Commission had decided to litigate the case. Implicitly (but repeatedly), the majority seemed to concede that the FTC might not have been able to obtain any fines at all if it had taken the case to court.
“Facebook just bought a $5 billion protective moat around its business model,” said Berin Szóka, President of TechFreedom. “Facebook can’t be happy about taking such a huge financial hit, but with over $50 billion in cash on hand, the company can easily afford this settlement. But more importantly, who else could? Nothing could do more to discourage competition with today’s tech giants than the looming threat of such massive fines. Those cheering today’s settlement as a victory against Big Tech should think twice about its long-term effects on those trying to dethrone Facebook. Fortunately, Facebook did refuse to accept what would have been an even worse barrier to entry: that executives can be held personally liable when it’s so unclear whether conduct is illegal. Who would launch a startup, or take a leadership role at one, if they might face staggering personal liability?”
Only by charging Facebook with violating an unrelated 2012 privacy consent decree was the FTC able to impose a monetary penalty, since the FTC Act does not authorize penalties for new charges that a company violated the Act by committing an unfair or deceptive practice. Remarkably, nothing in the Order or the Republican majority’s statement explains why the Cambridge Analytica fiasco fell within the scope of the 2012 decree. A year ago, TechFreedom urged the FTC to charge Facebook with deceiving its users by failing to notify them about Cambridge Analytica’s misuse (and to seek new injunctive relief), but concluded, in the first public legal analysis of the case, that the 2012 consent decree did not apply — and thus that the FTC could not obtain monetary penalties.
“Today’s fine rests on a legal sleight of hand — and sets a dangerous precedent,” warned Szóka. “Chairman Simons seems to have found himself in an impossible position: His Democratic colleagues wanted a much, much larger fine, but at least one Republican Commissioner — and maybe all three — clearly recognized the cold, hard legal reality: if Facebook refused to settle, a court would rule that the FTC had no authority to impose monetary penalties because the agency could not show that the new conduct fell within the scope of the 2012 consent decree. Indeed, when that agreement was negotiated, Republican Commissioner Rosch, who wanted a tougher order, complained that the agreement did not cover conduct by third party app developers — the very thing at issue here. That Facebook chose to settle again merely proves that the company decided it was worth $5 billion not to have to drag out its public relations nightmare any further.”
“Today’s settlement should trouble even Facebook’s critics — especially Facebook’s critics — because the company has, whether intentionally or not, helped to establish two legal precedents that will be used against all tech companies, including small ones,” Szóka explained. “The first is multiplying, by 22-fold, what fines are considered reasonable. The second is validating the FTC’s use of privacy consent decrees to regulate everything a company does. Combine these two things with the fact that FTC already has all significant tech companies under 20-year consent decrees, and the result is vast and essentially arbitrary power over the tech sector. This isn’t something that even the fiercest critics of ‘Big Tech’ should want. It might be fair to penalize tech companies for violating clear new rules if Congress legislates, but not for failing to predict how the FTC wields its existing, uniquely vague power to decide what is ‘unfair’ or ‘deceptive.’ And even with clear rules, Congress needs to establish clear limiting principles governing the FTC’s ability to impose fines, just as it did when it created the Consumer Financial Protection Board.”In a Medium post published earlier this year, Szóka analyzed the legal issues surrounding the case, distilling a letter TechFreedom sent to lawmakers last March, shortly after the news broke about Cambridge Analytica’s misuse of data collected about Facebook users.
See more of our work on consumer privacy, including:
- Our March 2018 analysis of the FTC’s authority as applied to the Cambridge Analytica and recommendations for Congress
- “The Facebook/Cambridge Analytica Settlement: How Far Can the FTC Go, Legally?” on Medium
- Our 2018 FTC Comments on Competition & Consumer Protection in the 21st Century
- Our 2018 NTIA Comments on international priorities
- Our comments on NTIA Privacy Framework
- Our 2017 Senate Testimony on FTC Stakeholder Perspectives: Reform Proposals to Improve Fairness, Innovation and Consumer Welfare