Now that the cameras have gone, the booster cushion has been removed from the witness chair, and Mark Zuckerberg is comfortably back in in Palo Alto, having survived his marathon two-days of testimony in front of a somewhat confused Congress, what’s next?
Following the revelations that a political marketing firm, Cambridge Analytica, improperly obtained personal information from approximately 87 million Facebook user profiles (including even Mark Zuckerberg’s!), Congress has more support than ever to regulate Facebook and other social media tech. On his ‘apology tour,’ and in congressional testimony, Zuckerberg has said he is open to some form of oversight. "The internet is growing in importance around the world in people's lives and I think that it is inevitable that there will need to be some regulation," he said. But just what that regulation would look like remains unclear.
Some lawmakers cited the ‘weakness of the current system’ and failures of tech firms to self-police in arguing that legislative oversight, and even a new bureau, might be necessary. “Would it be helpful if there was an entity clearly tasked with overseeing how consumer data is being collected, shared and used, and which could offer guidelines, at least guidelines for companies like yours to ensure your business practices are not in violation of the law,” Rep. Raul Ruiz, a Democrat from California, asked at the House hearing. “Something like a digital consumer protection agency?” Zuckerberg deferred, hinting at a long road toward that compromise. “Congressman, I think it’s an idea that deserves a lot of consideration,” he said. “But I think the details on this really matter.” Those details will take some time to negotiate. In the meantime, an FTC investigation is picking up steam.
The Federal Trade Commission is the top cop on the privacy beat, with a mandate to protect consumers from unfair and deceptive trade practices. In a March statement announcing the opening of an investigation into Facebook’s privacy practices, Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection, said, “The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers. Foremost among these tools is enforcement action against companies that fail to honor their privacy promises.” Facebook’s privacy promises – going back to 2011 – are all under intense scrutiny.
In November of 2011, Facebook reached a settlement with the FTC regarding claims they had engaged in ‘unfair and deceptive practices’ by publicizing data that users thought was private. To settle that action, Facebook signed a consent decree with the FTC, agreeing not to share users’ data with third parties without their express consent, to give consumers clear and prominent notice before sharing their information beyond their privacy settings, and to maintain a comprehensive privacy program to protect consumers’ information.
The reopening of the FTC investigation is aimed at determining whether Facebook upheld that agreement. “We remain strongly committed to protecting people’s information,” said Rob Sherman, deputy chief privacy officer at Facebook. “We appreciate the opportunity to answer questions the FTC may have.” The FTC will no doubt seek answers to questions concerning Facebook’s policing of the information that Cambridge Analytica was able to collect.
In his testimony before Congress, Mr. Zuckerberg explained that, although the company has since changed its policies, this was the “way that the platform worked, that you could sign into an app and bring some of your information and some of your friends’ information.” In effect, Zuckerberg argues, there was no violation of the consent decree because the 87 million users effectively consented to sharing their personal data on the platform, though they may not have explicitly agreed to share that information with Cambridge Analytica.
If the FTC finds that Facebook did, in fact, violate the terms of the consent decree by allowing Cambridge Analytica to acquire the data of more than 87 million users without their consent, and that Facebook should have done more to protect the data than simply accept a declaration that the data had been destroyed in 2015, there may be substantial fines in store for Facebook. Each violation could merit a fine of more than $40,000, per user, per day, which, when multiplied by the 87 million users affected by the Cambridge Analytica leak could amount to trillions of dollars. While it is unlikely that the FTC would impose a fine of that magnitude, any monetary penalty assessed against Facebook would be significant, both for Facebook’s bottom line (currently valued at over $480 billion) and for what the precedent would do to Facebook’s business model, which is based on collecting and using data to sell ads.
It is important to note that Facebook denies any wrongdoing with respect to the Cambridge Analytica leak, and even finds fault with the characterization of what occurred as a “breach.” Facebook’s Vice President, Andrew Bosworth, defended the company on Twitter. “This was unequivocally not a data breach," Bosworth said. "People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. No systems were infiltrated, no passwords or information were stolen or hacked."
Strengthening Facebook’s case is a recently disclosed audit report prepared for the FTC even after Facebook had lost control of the user data, stating that the company had sufficient privacy protections in place. PricewaterhouseCoopers told the FTC that, over the period of time from February 2015 through February 2017, “Facebook’s privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy” of its users. It is unclear whether or not the company disclosed the leak to the auditors, however, and it seems likely that will be part of the FTC’s investigation. Rob Sherman said Facebook remains “strongly committed to protecting people’s information” and appreciates “the opportunity to answer questions the FTC may have.”
During Mark Zuckerberg’s appearance at the Senate hearing, Senator Orin Hatch asked: “how do you sustain a business model in which users don’t pay for the service?” Zuckerberg calmly explained: “Senator, we run ads.” He, and his company, might need to expand on that business model in the post-Cambridge Analytica regulatory landscape.
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached. Read About Our Practice and Meet the MVA Privacy & Data Security Team.