Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsConsidering Facebook: Implications of a Billion Dollar Privacy Fine from the FTC
The Washington Post reported last week that Facebook and the Federal Trade Commission are negotiating a multibillion dollar fine in an update to the government’s Cambridge Analytica investigation. It is expected to be the largest penalty ever levied by the FTC against a tech company, although there is no agreement on an amount yet according to the unnamed sources.
The fine would set a record around the world for the largest penalty for a privacy breach. It would even top the largest fine for a data breach – a record currently held by Uber for its $148 million settlement with the 50 state attorneys general and the District of Columbia.
The European Union has issued billion dollar fines against technology companies before – but not yet for privacy violations. Both Apple and Google have already been fined over $1 billion as the European Union took issue with handling of taxes and anticompetitive behavior.
There is probably still a long way to go before the resolution of the investigation into Cambridge Analytica and the announcement of a billion dollar fine. Nevertheless, if it proceeds that far, privacy would join a select number of areas that have justified billion dollar government fines levied by the United States, including mortgage fraud around the 2007-08 financial crisis, environmental issues, unsafe or polluting vehicles, pharmaceutical fraud, antitrust/competition, bribery of foreign officials and violations of economic sanctions.
Despite recent criticism of the FTC for its handling of enforcement actions involving privacy, it will not be the first billion dollar fine in general for the FTC. The FTC reached a billion dollar settlement with Teva Pharmaceutical in 2015 to resolve antitrust violations, and litigated a case of unfair practices in payday lending to a billion dollar judgment. However, it will smash the largest previous privacy fine. The biggest fine the FTC has issued so far for a privacy breach was substantially less – just $22.5 million against Google in 2012 for the violation of a settlement agreement.
The Google settlement was one of two violations of a settlement agreement for privacy by companies that resulted in a penalty by the FTC in the last decade. The other case was Upromise ($500,000) in 2017. The two companies were identified recently in a GAO report on internet privacy recently published that examined 101 enforcement actions regarding internet privacy pursued by the FTC over the last ten years. In most of them, the FTC did not levy civil penalties because it lacked authority to do so for a first offense.
The recent Washington Post report provides more detail to a story from a month ago that the FTC was prepared to issue a record fine for Facebook as a result of its investigation into suspected violations of the 2011 consent decree that began in March with the Cambridge Analytica scandal.
The US fine would dwarf the United Kingdom’s fine by the Information Commissioner’s Office of 500,000 pounds. The ICO was limited to 500,000 pounds because the violation preceded the entry into effect of GDPR, which raised the maximum penalty to the greater of $20 million euros or 4% of global annual revenue. The ICO issued its final decision in October and Facebook appealed it in November.
Meanwhile, Facebook has been the subject of other government investigations in Europe since Cambridge Analytica. A report from Britain’s Digital, Culture, Media and Sport committee released this week found that “Facebook intentionally and knowingly violated both data privacy and anti-competition laws.” Additionally, the competition regulator in Germany (FCO) a few weeks ago ordered Facebook to halt the collection and aggregation of user data from non-Facebook properties and third-parties without explicit consent. The FCO said in its statement that Facebook was … “in violation of the European data protection rules to the detriment of users.”
It is possible that Facebook could be facing other investigations as well. There have been reports about complaints filed by consumers with DPAs against Facebook already, including one filed over the first weekend that GDPR went into effect.
The new reports of a big FTC fine follow a record setting GDPR fine of 50 million euros by France’s CNIL against Google over Android privacy practices. The French penalty is the largest to date under GDPR – although it was no where near the maximum 4% of annual revenue that could be levied under the law based on Google’s $110 billion in annual revenue.
What are the implications for the compliance and privacy world from a big Facebook fine?
1. Fines for other privacy violations will increase.
The European Union has been positioning itself as a global leader on privacy issues through GDPR for several years now. They set the bar high with GDPR’s maximum penalty of 4% of an organization’s global annual revenue. However, if the United States issues a large fine, it will put pressure on the European Union to fine companies more as well. It will also set a precedent to justify substantial fines for privacy violations under GDPR. A large fine would also set a precedent for future federal and state investigations of privacy in the United States.
2. The costs of responding to government investigations will increase.
As the stakes go up, so will the legal fees and investigation costs for any company’s response. The costs for companies to respond to investigations into the Foreign Corrupt Practices Act (FCPA), an area where fines in the hundreds of millions of dollars are a strong possibility, can be as much (or more) then it will ultimately pay out to the federal government. With a billion dollar fine against Facebook, any company that faces a privacy investigation will be willing to spend more to avoid a negative result.
3. It will build momentum for legislative solutions to privacy.
A billion dollar fine will generate press coverage and calls for additional protections. It will justify legislative efforts to take action on both the state and federal level to protect their constituencies.
4. Companies will need to increase their privacy compliance budgets.
The consequences of the above on companies will be the need for higher compliance budgets. Organizations will be facing higher fines if they don’t comply, and more expensive investigations from suspected violations. The logical result for companies that do not want to face these expenses will be to spend more, although it may take several cycles of higher fines to spur executive action.
For a demo of the Clarip enterprise privacy management software, call 1-888-252-5653.
Other Relevant Posts:
Facebook Faces Record $3 Billion Privacy Fine; Senate Commerce Efforts Continue for Privacy Bill
Vendor Privacy Issues at Facebook Again – Organizations Must Be Enhancing Vendor Management
Facebook’s Criminal Case Has Big Implications for Privacy
Expect More Big Changes as Privacy Hits Reputation of Tech Companies and Facebook Pledges Privacy-Focused Platform
German Antitrust Regulator: Facebook Violates GDPR
More Resources:
Ready for the new California privacy law coming on January 1, 2020? Learn more about CCPA compliance and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.
