This article originally appeared in Washington Examiner on May 9, 2019.
Facebook announced recently that it expects a huge fine from the Federal Trade Commission for privacy violations, and reactions from privacy advocates and cybersecurity experts are all over the map.
Some Facebook critics say the company deserves the fine, which is expected to be in the range of $3 billion to $5 billion, by far the largest fine ever imposed by the agency for privacy violation. Others say the civil penalty isn’t nearly big enough, considering the size and value of Facebook, and insist Congress must pass new rules to protect consumer privacy.
The company frequently clears more than $3 billion in net income per quarter, with the company reporting $22.1 billion in net income in 2018. The potential fine is a “drop in the bucket” to Facebook, said Braden Perry, a regulatory and government investigations lawyer with the Kansas-based Kennyhertz Perry law firm.
The potential fine “won’t do much” to fix ongoing privacy abuses in the tech industry going forward, he added. The investigation focused exclusively on violations of a 2011 privacy settlement between and company and the agency.
The details of the investigation are confidential, but most observers assume the violations included the social media giant’s sharing of users’ data without their consent with British political consulting firm Cambridge Analytica during the 2016 U.S. election campaign.
Facebook Chief Financial Officer David Wehner told financial analysts of the expected fine during an April 24 conference call but said the company can’t comment further on the “ongoing matter.” A Federal Trade Commission spokeswoman also declined to comment on Facebook’s potential fine.
The government agency’s maximum fine for privacy violations stands at $41,484 per affected consumer. An estimated 71 million U.S. residents had their data shared with Cambridge Analytica, noted Stafford Palmieri, a researcher with the Penn Wharton Budget Model, a nonpartisan initiative at the University of Pennsylvania. That figure doesn’t include the potentially tens of millions of U.S. residents who had their Facebook data scraped by other companies, she added.
If 71 million users were affected, the maximum penalty for the Cambridge Analytica breach would be $2.9 trillion. Given that Facebook’s total revenue in 2018 was $55 billion, “the FTC would effectively be putting them out of business” with a maximum fine for the Cambridge Analytica violations, Palmieri said.
The expected fine is a tiny fraction of the maximum but may still send a message, Perry said. With the European Union’s General Data Protection Regulation having gone into effect a year ago and California having passed its own privacy law last year, new “regulations are inevitable.” The fine “could be the catalyst needed to get technology companies to embrace the inevitable and attempt to make it as advantageous to them as possible.”
Congress needs to regulate companies such as Facebook that sell user data without proper disclosures, agreed David Reischer, a lawyer and CEO of LegalAdvice.com.
A multibillion-dollar fine “is inadequate to curtail Facebook practices as Facebook will continue to sell personal data and accept the FTC fines as simply the cost of doing business,” Reischer predicted. Facebook’s leadership has “done nothing to assuage fears that the company has much regard for customer privacy.”
Other observers consider the fine appropriate. It would be the largest privacy-related penalty imposed by regulators in either America or the EU, noted Greg Sparrow, senior vice president and general manager at CompliancePoint, a consultancy that helps companies comply with regulations. Previously, the largest fine under the new EU rules was $56.8 million levied on Google earlier this year, he noted.
“For the past decade, Facebook has helped create a new industry based on monetizing consumers’ private information, while putting minimal consumer controls in place,” he said. “Facebook has certainly set themselves up for financial liability based on the 2011 consent decree.”
Like others, Sparrow called for Congress to pass new privacy rules. “What is needed in the industry is more transparent and fair consumer practices around data privacy,” he said.
The Facebook privacy case is “merely a symptom of a larger problem,” added Chris Olson, CEO of The Media Trust, a security and compliance monitoring vendor.
“Problems as to how data is used and abused on the Internet will not be solved by aggressive finger pointing,” he said. “The fact is, most companies, whether they realize it or not, enable some form of personal data collection from largely unknowing consumers every time they access an organization’s website or mobile app.”
