- The Federal Trade Commission hit Facebook with a $5 billion fine for the company’s handling of user data following the giant Cambridge Analytica breach last year.
- While the fine has been criticized by some for being too small, in reality it balances the need to punish Facebook while not imposing onerous regulation on the whole industry.
- The fine should be a model of how the FTC can regulate tech companies going forward.
- The author of this opinion, Jennifer Huddleston, is a research fellow with the Mercatus Center at George Mason University.
- Visit Business Insider’s homepage for more stories.
The Federal Trade Commission announced a record fine and other penalties against Facebook stemming from violations of the company’s prior-consent decree — including, among other privacy concerns, the Cambridge Analytica scandal where millions of users’ data profiles were used without their consent or under deceptive circumstances.
While policymakers continue to debate and develop data-privacy legislation, the FTC-Facebook agreement reflects the heart of the past, present, and future approach to data privacy in the United States.
For now, the FTC is America’s de facto data-privacy regulator based on its consumer-protection mandate. Through its size and scope, this week’s agreement shows it to be an effective cop on the beat, and it appears the current process can provide redress for the tech industry’s data privacy shortcomings.
Some critics have claimed the amount of the fine is not significant enough to punish a company like Facebook, though $5 billion is far from a drop in the bucket. That’s more than the cost of an NFL team, about the current value of Reddit, and more than 200 times as large as any previous data-privacy settlement.
It is also more than the maximum fine of 4% of global annual turnover, about $2.2 billion, that the company would face under Europe’s stringent data-protection regulatory scheme, the General Data Protection Rule (GDPR).
This decision sets a precedent for future FTC enforcement. Specifically, it discusses violations related to misrepresentations of its use of phone-number information collected for its two-factor-authentication system, its use of facial recognition, and the sharing of nonpublic user information.
While some privacy advocates have called for the creation of a new data-protection agency with a more stringent and focused regulatory approach, this week’s settlement suggests that may not be necessary.
The agreement demonstrates the advantages of the case-by-case approach over broad precautionary legislation. For example, the specifics of the agreement apply only to Facebook and its actions rather than governing all data-driven services.
Other entities will clearly pay attention and may even change their behavior as a result, particularly in light of the agreement’s additional and stringent requirements for certification and oversight of the company’s comprehensive privacy program, potential impact on company executives, and a sizeable fine. Still, the FTC’s focus on consumer harm allows companies and consumers to focus their own compliance efforts on choosing privacy solutions that fit their own customers and products.
This is critical because the ways we use data are changing faster than ever and affecting a wider variety of industries, from the obvious (technology and advertising) to the more surprising (utilities and agriculture). As new or updated ideas redefine the market and uses of data, it’s next-to-impossible to craft hard guidelines that can keep up.
Our current approach focuses on the specifics of a particular company’s actions and effects on consumer welfare, making it flexible enough to keep pace with technology when formal legislation cannot.
The ruling may lead to calls for a more precautionary regulatory regime and other sweeping changes to our approach to data privacy.
Yet the aggressive nature of the FTC’s response should indicate to policymakers that America’s "permissionless," pro-innovation approach is capable of responding to data-privacy concerns. This time-tested American approach has largely allowed innovation to flourish in the way a risk-averse European style has not, while still providing redress when consumers are harmed.
The FTC ruling is admittedly not without some concerns and drawbacks. As TechFreedom’s Berin Szoka has pointed out, allowing the FTC to broadly construe and aggressively enforce data privacy consent decrees comes with enough uncertainty to deter smaller innovative startups because of fears of bankrupting fines.
Such concerns certainly seem valid in this case, particularly given the additional regulatory oversight that Facebook will face for the next 20 years under the new consent decree. It also continues the growth of a common law of consent decrees that can unfairly allow an agency to engage in relatively unchecked policy making without the certainty that taking these cases to court would provide to the industry.
The FTC-Facebook agreement will stoke the fire of ongoing data privacy debates. Let’s not forget that it reflects the approach to data privacy that let new, innovative companies like Facebook emerge in the first place.
Policymakers should look to improve, rather than replace, a reasonably effective set of market- and government-driven data-privacy protections for the next wave of innovators.
Jennifer Huddleston is a research fellow with the Mercatus Center at George Mason University. Her research focuses on the intersection of emerging technology and law with a particular interest in the interactions between technology and the administrative state.
- Secretary of State Mike Pompeo has failed to bring ‘swagger’ back to the State Department and America is paying the price
- Democrats say they want to tax the rich, but they’re also pushing a terrible tax idea that would be a big win for the wealthy
- The 32 smartest questions to ask at the end of every job interview