The $5 billion fine that the Federal Trade Commission has slapped on Facebook for privacy violations may be the largest ever levied by the agency, but it’s being derided as “chump change” and ineffective by lawmakers and privacy analysts.
The settlement, reported Friday evening, stems from Facebook’s role in the Cambridge Analytica scandal; political consultants working with Cambridge Analytica used billions of personal data points gleaned from 87 million Facebook users’ accounts to create highly personalized messages and ads in a wide-ranging “sway your vote” campaign leading up to the 2016 presidential election.
Facebook has so far faced small fines in Europe, but this is the first financial censure in the U.S. for the tech giant. The $5 billion is 200 times the size of the previous record FTC fine, but given that Facebook reported nearly $56 billion in revenue in 2018, critics say the measure is merely a wrist-slap. Investors certainly didn’t seem worried: Facebook’s stock price jumped nearly 2 percent following the settlement being first reported by the Wall Street Journal.
“This fine is a fraction of Facebook’s annual revenue,” said Rep. David Cicilline (D-R.I.), chair of the House antitrust subcommittee, in a tweet. “It won’t make them think twice about their responsibility to protect user data.”
If the FTC won’t protect consumers, Congress surely must.
— David Cicilline (@davidcicilline) July 12, 2019
Rep. Jan Schakowsky, D-Ill., who is chairwoman of the consumer protection and commerce subcommittee in the House, issued a statement along the same lines: “The sad reality is that this does not go nearly far enough. For a company that last year alone generated revenue nearly 11 times greater than the reported fine, the Federal Trade Commission should send a clear signal to Facebook and so many other tech companies that privacy is their ultimate responsibility. If these reports [of the size of the fine] are true, then they failed.”
“The reported $5 billion penalty is barely a tap on the wrist, not even a slap,” added Sen. Richard Blumenthal (D-Conn.) in a media statement. “Such a financial punishment for a purposeful, blatant illegality is chump change for a company that makes tens of billions of dollars every year.”
Privacy experts agree. “Within the U.S., this Facebook fine and the preceding Google fine are unlikely to change the behavior of similar organizations,” Tim Erlin, vice president of product management and strategy at Tripwire, told Threatpost. “The most likely outcome is that there are more fines from the FTC on the horizon.”
Dan Goldstein, president and owner of digital marketing agency Page 1 Solutions, pointed out that Facebook had anticipated the size of the fine months ago.
“Facebook ultimately predicted its own future about three months ago when it suggested the FTC settlement would cost about $5 billion. The question now is if the company can change its future to overcome its terrible reputation when it comes to user privacy,” he said via email. “The real teeth of this announcement will come not from the $5 billion settlement. Facebook is worth hundreds of billions of dollars, so this amount is practically a drop in the bucket. I am more curious about the regulations expected to accompany the terms of the settlement.”
Over the weekend, lawmakers were quick to wade further into that particular fray, calling for more regulation around consumer privacy.
“Given Facebook’s repeated privacy violations, it is clear that fundamental structural reforms are required,” Mark Warner (Va.), the top Democrat on the Senate Intelligence Committee, tweeted. “With the FTC either unable or unwilling to put in place reasonable guardrails to ensure that user privacy and data are protected, it’s time for Congress to act.”
Congress is mulling a national privacy bill (though with only two weeks to go before the August recess, it’s unlikely to pass before the fall). But privacy experts are unsure that the Facebook situation is a harbinger for GDPR-style regulation in the States.
“There may be no reason to implement a regulation closer to GDPR if fines can be successfully levied without it,” Erlin told Threatpost. “The reality is that we’re heading into an election cycle with a long list of issues that are more important than consumer privacy. It’s unlikely that we’ll see any significant regulatory changes in the near term.”
Chris Olson, CEO of The Media Trust, meanwhile said that continued fines and regulation in general are likely to hurt smaller companies.
“Fines could backfire; companies with deep pockets have the resources they need to stay compliant with the strictest regulations,” he told Threatpost. “Smaller companies, however, do not. So if lawmakers continue to introduce new laws on data privacy, chances are, larger companies will fare the best, smaller companies will suffer, and consumers will have fewer options. More regulation is not the answer to the sprawling data ecosystem. It’s everyone in the industry working on standards and rules of engagement that benefit consumers.”
Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More