In a meeting with Facebook employees last week about the company’s record $5 billion settlement with the Federal Trade Commission, CEO Mark Zuckerberg said forthcoming changes to its privacy practices were in line with his belief that companies should protect users’ data.
“I’ve said a number of times in the past that I believe that companies should be held accountable on privacy,” Zuckerberg said, a reference to comments he made earlier this year. “And this is what accountability looks like.”
Zuckerberg wasn’t the only Facebook executive to share a similar sentiment—Colin Stretch, vp and general counsel, said in a statement the agreement would “require a fundamental shift” in Facebook’s approach to privacy, but that he was hopeful the settlement would “be a model for the industry” from an accountability standpoint.
So what is that model? The FTC settlement, which stemmed from what Facebook told users about their privacy controls and how it addressed lapses, requires the social network to establish a panel within its board of directors to monitor its privacy practices. Three compliance officials, along with Zuckerberg himself, will be required to certify that the company is protecting users’ data every quarter, or face civil and even criminal penalties. Facebook will have to submit new products to privacy reviews and document information about data breaches, and the FTC can request documents and use discovery tools to monitor compliance.
Here’s what that “model for the industry” is not: Facebook did not have to admit wrongdoing. No executives faced penalties for its privacy violations. The extent of the civil and criminal penalties isn’t defined, mitigating the threat of potential legal action.
The company and its executives received sweeping immunity from any additional privacy violations between 2012 and 2018, including potential violations that haven’t been discovered yet. The FTC also did not place any limits on Facebook’s collection or use of user data itself. And while the fine is a record in terms of the sheer size of the penalty, it represents less than 10% of Facebook’s annual revenue.
In a statement, FTC chairman Joe Simons said the settlement “is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.” At a subsequent press conference, Simons said the FTC chose to pursue the fine rather than years of litigation that could lead to a less fruitful outcome. James Kohm, head of the FTC’s enforcement unit, told NPR the terms mean “there’s no way that the CEO can bury his head in the sand” about the company’s privacy practices in the future.
But not everyone is convinced. There’s widespread concern the settlement doesn’t go far enough in holding executives responsible for past transgressions, and represents a missed opportunity for addressing broader concerns about Facebook’s conduct. Rohit Chopra, one of two FTC commissioners who did not approve of the settlement, said the ruling let Facebook off easy.
“Breaking the law has to be riskier than following it,” Chopra wrote in a fiery dissent. “The settlement’s $5 billion penalty makes for a good headline, but the terms and conditions, including blanket immunity for Facebook executives and no real restraints on Facebook’s business model, do not fix the core problems that led to these violations.”
Many Democratic and Republican lawmakers also criticized the settlement for falling short, joined by consumer advocacy groups.
“This settlement doesn’t even come close to preventing such violations from occurring again,” said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union. “It fails to put strong and meaningful limits on how Facebook collects, uses and processes user data. It holds no executive personally liable for years of privacy violations and misleading statements made by the company.”
It’s rare that executives are held personally responsible for their company’s missteps or deceptions, especially when it relates to privacy. After the credit-reporting bureau Equifax compromised the personal information of more than 140 million Americans and didn’t inform them until six weeks after the breach, CEO Richard Smith quickly retired without his annual bonus—and dodged any repercussions. The only executive who did face penalties was former CIO Jun Ying, who was sentenced to four months in prison for insider trading, not for the breach itself.
There’s some effort to change that. In November, Sen. Ron Wyden, a Democrat from Oregon, proposed a Consumer Data Protection Act that would penalize companies with steep fines and senior executives with jail time for privacy breaches. Massachusetts Sen. Elizabeth Warren, a Democrat who is running for president, similarly suggested holding corporate executives criminally liable for major data breaches.
Meanwhile, there’s a continued effort to develop federal privacy legislation that would shore up penalties for companies and give consumers more control over how their data is shared. Simons, who said the FTC has limited authority over Facebook in terms of its privacy practices, last week urged the adoption of comprehensive federal privacy legislation that includes giving the FTC more authority to make and enforce rules related to safeguarding user data. The social network is also facing down additional scrutiny from the Justice Department as part of a sweeping antitrust review of the tech industry’s biggest corporations.
In the meantime, experts have little expectation that the FTC’s approach to holding Facebook accountable will have a demonstrable impact. Fatemeh Khatibloo, a vp and senior analyst at Forrester, said she didn’t expect Facebook’s new privacy board to do much in the way of changing how the company fundamentally operates.
“While the [FTC] did write in a criminal and civil liability clause for executives found to be lying to the privacy board, Zuckerberg is still holding the final hammer above that board,” Khatibloo said in a statement. “It’s naive to think that the privacy board will truly operate independently.”
Jason Kint, CEO of the trade association Digital Content Next—and a vocal critic of Facebook—said he was under no illusions the settlement would make an impact, but that he was hopeful new state and global data regulations would have a bigger impact on Facebook’s conduct.
“The industry clearly hasn’t gotten straight answers from Facebook, and this suggests the FTC won’t be where we get them,” Kint said.