$5b privacy fine against Facebook seen as ‘chump change’

Two people familiar with the Federal Trade Commission’s (FTC’s) 16-month-long investigation into Facebook’s privacy practices – a probe kicked off by the Cambridge Analytica scandal – told the Wall Street Journal that the commission voted last week to approve a settlement worth about $5 billion.

The FTC settlement could end the investigation, which began in March 2018 after reports that Facebook had let the political research firm Cambridge Analytica (CA) access the personal data of up to 87 million Facebook users without their knowledge, which some said violated a 2011 agreement between Facebook and the FTC to improve its privacy practices.

The next stop for the proposed Facebook settlement is the Department of Justice (DOJ), which typically finalizes FTC settlements. It’s rare for the DOJ to nix FTC settlements, though.

The vote hewed to party lines, with the FTC’s three Republicans supporting it and two Democrats voting against it.

$5b worth of sputtering

Democrats are calling the record-setting fine a slap on the wrist. An early Christmas present. A drop-in-the-bucket penalty. Chump change. A mosquito bite.

Rhode Island Congressman David Cicilline, who oversees an antitrust panel in the House:

It’s very disappointing that such an enormously powerful company that engaged in such serious misconduct is getting a slap on the wrist. This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data. If the FTC won’t protect consumers, Congress surely must.

Biggest fine in FTC history

Others disagree: they think it’s a pretty big chunk of change. $5 billion is about 9% of Facebook’s annual review, which recorded nearly $56 billion in revenue last year. That makes it more than double the maximum percentage – 4% – of annual revenue that can be imposed as a penalty under the EU’s General Data Protection Regulation (GDPR).

It’s the biggest fine in FTC history, dwarfing the previous record holder, which was the $22 million fine levied against Google in 2012 for misrepresenting to Safari users that it wouldn’t place tracking cookies or serve targeted ads to them. Like Facebook now, that earlier fine against Google was also for being in violation of an earlier privacy settlement with the FTC.

David Vladeck, a former director of the FTC’s Bureau of Consumer Protection who’s now a law professor at Georgetown University, told the Washington Post that this will slap the big boys into shape when it comes to respecting user privacy when handling their data:

It’s quite a substantial amount of money, and it sets a baseline [for] the Googles and Microsofts and Apples and the Twitters of the world.

…though really, the devil’s in the details of the final settlement, which the FTC hasn’t yet revealed. Will there be regulatory comeuppance? Any chance that Facebook could be restructured, as some have called for? Time, and the final settlement, will tell.

The latest chapter in the Cambridge Analytica book

According to multiple whistleblowers, Facebook basically turned a blind eye to CA and other developers scraping away its users’ data.

In a lawsuit against Facebook brought by the tiny, your-Facebook-friends-in-bikinis-centered developer Six4Three – and published during the UK’s Parliamentary probe into fake news and the platform’s privacy practices – Six4Three has alleged that Facebook turned off the Friends data API spigot as a way of forcing developers to buy advertising, transfer intellectual property or even sell themselves to Facebook at bargain-basement prices.

In other words, the user data that it claimed CA wrongly got away with is a bargaining chip, according to the fake news inquiry and the private emails of Facebook staff that it got out of the Six4Three lawsuit and subsequently published.

Six4Three has alleged that the correspondence shows that Facebook was not only aware of the implications of its privacy policy, but actively exploited them. The app company asserted that Facebook intentionally created and effectively flagged up the loophole that CA used to collect user data.

In October, the UK’s Information Commissioner’s Office (ICO) fined Facebook £500K for the CA saga. If $5 billion is a mosquito bite, then £500K is a mosquito crossing its arms and refusing to speak to you for the rest of the night.

It’s the best the ICO could do in pre-GDPR days, though. Those days ended last week when the body handed out what seemed, at least last week, before this $5b bite, to be whopper fines for data breaches at Marriott and British Airways.

Which is it, a bite or a nuzzle?

Investors didn’t break a sweat when news of the FTC fine broke. Facebook’s stock closed nearly 2% higher after news about the FTC’s vote came out. Facebook in April had warned investors that it could be bruised with a US penalty fine as high as $5 billion. It set aside a good chunk of that – $3 billion – during its most recent earnings report, when it announced it earned $15 billion in quarterly revenue.