The US Federal Trade Commission (FTC) is reportedly considering imposing a “record-setting fine” against Facebook for failing to protect users’ privacy in the Cambridge Analytica scandal.
According to the Washington Post, which broke the story on Friday, the FTC is considering fining Facebook for violating a previous agreement with the FTC, in which it promised to better protect user data and receive explicit consent around changes to user privacy.
The figure is reported to be in excess of the record $22.5m FTC fine levied against Google in 2012.
Last year, Facebook was accused of data misuse after it emerged that political consulting firm Cambridge Analytica harvested some 87 million users’ data without their explicit consent.
Commentators have pointed out that the fine would need to be very substantial to make a dent in Facebook’s profits: the firm collected more than $13bn in revenue in the last quarter alone.
Dan Goldstein, a former attorney and president and owner of digital marketing agency Page 1 Solutions is not surprised by the development – and expects more troubles for the social media giant on the horizon.
“This certainly isn’t the first headline on Facebook’s legal woes, and it won’t be the last by a wide margin. Mark Zuckerberg might need to resume his apology tour in 2019,” he said.
He added that the reported Facebook FTC fine is the “logical culmination” of Facebook’s 2018 controversy and that it’s “no surprise that regulators are putting the company under a microscope”.
Facebook FTC fine: What did the previous agreement say?
In 2011 Facebook signed a consent decree with the FTC after allegedly misleading users about how private their information was.
It meant the social network avoided financial penalties, but had to submit to third-party audits for 20 years.
Here’s the 2011 agreement, via the FTC.
- Barred from making misrepresentations about the privacy or security of consumers’ personal information;
- Required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- Required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
- Required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- Required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
The FTC launched an investigation into Facebook last March, when the Cambridge Analytica scandal first emerged.
It is unclear which of these the FTC might be focusing on in its investigation.
“Say what you want about the oversight and questionable business practices that have put Facebook at the centre of the privacy controversy; no company is 100% safe from a breach, and it remains to be seen if the FTC views such an event as a violation of terms requiring Facebook to improve consumer protections and give users greater control of their data,” added Goldstein.
What could it mean for European investigations?
Joseph Carson, chief security scientist at cybersecurity firm Thycotic, believes that the possible FTC fine will likely be the “first of many in the coming year” and could have implications for European investigations.
“Surely the European Commission will be watching closely on what the FTC’s findings from the probe are, as it could influence the EU GDPR lawsuits against Facebook for similar abuse on EU Citizens personal data, as well as the multiple security breaches in the past year.
“2019 could be the year of the biggest financial penalties against organisations for failing to protect and secure personal data – as well as abusing it for profit.”