The US Federal Trade Commission (FTC) today confirmed media reports that it is investigating Facebook, and whether the company violated a 2011 agreement over how it shares its users’ data.
If the FTC determines Facebook infringed that agreement through its recent scandal connected to the actions of the political consultancy Cambridge Analytica, it could theoretically trigger hefty fines. Since the news first broke, Facebook has lost billions in stock value.
“The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers,” said Tom Pahl, the acting director of the commission’s Bureau of Consumer Protection, in a statement. “Foremost among these tools is enforcement action against companies that fail to honor their privacy promises…Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook.”
Two weeks ago it was revealed that the company allowed a Cambridge University researcher, Aleksandr Kogan, access to the data of 50 million Facebook users who then provided it to Cambridge Analytica, which was used by Donald Trump’s 2016 presidential campaign to help him win the White House. In 2011, Facebook agreed with the FTC that it would not share its users’ data without their expressed consent.
“There’s plenty of money on the table to make Facebook nervous and get the FTC interested,” says Eric Goldman, the co-director of the High Tech Law Institute at the Santa Clara University School of Law. Facebook’s user data is key to its success; it’s what advertisers use to target Facebook ads.
“What needs to happen is a very thorough investigation and a public airing of the way these platforms function,” said Raj Goyle, a former Kansas state legislator and Congressional candidate, who now is the co-CEO of legal tech platform Bodhala.
What happened in 2011?
The FTC claimed (pdf) in 2011 that Facebook had engaged in “unfair and deceptive practices” by making public the data that its users considered to be private. That claim included the charge that Facebook had inappropriately shared data with advertisers and outside application developers. Developers now say that Facebook was often lax (paywall) about how it shared user data with them and how they could use it.
The social media giant opted to sign a “consent decree” with the FTC, agreeing to not share its users’ data without their consent. It paid no fines.
Is there a catch?
It’s not entirely clear whether Facebook’s involvement with Cambridge Analytica would constitute a violation. The company insists it did nothing wrong: “We remain strongly committed to protecting people’s information,” Facebook’s deputy chief privacy officer told Politico. “We appreciate the opportunity to answer questions the FTC may have.”
In 2011, Jessica Rich was serving as the deputy director of the FTC’s Bureau of Consumer Protection, where she helped oversee the consent decree and the drawing up of the order. She is now the vice president for advocacy at Consumer Reports. In a recent conversation with Quartz, Rich described what she considers the three main areas that investigators will examine to determine whether Facebook violated its agreement.
What happened to the privacy program?
Facebook agreed as part of its settlement to establish and maintain “a comprehensive privacy program” that would address privacy risks and protect people’s information. It also agreed to use an independent third-party professional to audit that program. It’s not clear what this auditor did or did not do.
“I think there would be a strong concern that Facebook’s failure to oversee third-party access to user data fell short of these requirements,” Rich said.
Was the data Facebook’s responsibility?
The agreement requires Facebook not misrepresent to users the extent to which their data will be used.
“In the course of all this, I think the FTC will be looking at whether Facebook made any deceptive statements about third-party access to user data and the oversight of the third parties that Facebook provided,” Rich said.
This is part of a larger and more existential legal question. Facebook permitted Kogan access to user data, but whether the company was responsible for its user data once he passed it along to Cambridge Analytica is an open question.
“That could be a hotter spot for Facebook,” said Goldman of Santa Clara. “We have to look and see exactly what Facebook told users. If it was silent—if Facebook didn’t promise one way or the other—it’s not entirely clear whether Facebook would have default responsibility.”
What did people expect?
The last major question has to do with a user’s expectation when completing their privacy settings.
“When people agree to the settings, would they have anticipated that Facebook would fail to monitor third party access to their data, and fail to enforce its own policies?” Rich asks.
If the answer is no, that opens up a lot of uncomfortable questions for the social media giant to answer.
What’s at stake?
If it is determined the company violated the terms of its agreement with the FTC, it would be subject to hefty fines of $40,000 per incident. If 50 million users had their data shipped off to Cambridge Analytica without their knowing, that could theoretically amount to billions of dollars in fines.
Whether such a large fine would damage user trust in the company isn’t clear. Goldman believes it’s unlikely. “Facebook has broken consumer trust many times, that’s nothing new,” he said. “And remarkably, the string of disappointments by Facebook hasn’t receded its number of users and, until recently, hasn’t reduced its usage.”
Internet technology has developed faster than state and federal privacy laws, effectively putting Silicon Valley in charge of how the data it collects from its customers is used. The Obama administration, which also used social media ad targeting in its campaigns, “certainly was not at the top of its game getting ahead of these issues,” said Goyle, who noted he is a Democrat. The last administration’s “cozy relationship” with the tech industry was hardly ideal, he said.
If Congressional lawmakers aren’t willing to simply trust that companies such as Facebook will adequately protect people’s data, they could pass legislation to establish new rules. Passing that kind of sweeping legislation in the current political climate is unlikely, but Democrats and Republicans in Congress are openly suggesting greater regulation might be necessary.
“They just can’t say ‘trust us’ anymore,” Minnesota senator Amy Klobuchar said in an interview on National Public Radio. “We’re going to find out if there’s any meat on the bones.”
Heather Timmons contributed to this report.