man clicking his heels in the middle of the street as if he doesn't have a care in the world
PHOTO: Andre Hunter

Facebook was in the headlines once again following the announcement it has agreed to pay a $5 billion (that’s billion with a “B”) fine to the Federal Trade Commission (FTC) for its most recent privacy issues. However, the reaction around the world has been a bit tepid to date. The $5 billion penalty represents a new record for the FTC, given that the second largest fine it levied against a tech company was a mere $22.5 million charged to Google in 2012.

For Facebook, the fine comes out to 9% of its $55.83 billion total revenue in 2018. The social media giant also faces potential regulatory action from Europe. Just recently, the U.K.’s Information Commissioner’s Office delivered a notice of intent to fine Marriott International and British Airways $123 million and $230 million respectively, under the EU General Data Protection Regulation.

The only bigger headache for Facebook than potential monetary costs of the settlement is any oversight of its business by the government moving forward. With the California Consumer Protection Act (CCPA) set to go into effect in January 2020 and the emergence of an increasingly complex regulatory environment, it’s worth asking whether companies can be fined into “doing the right thing” and if the fine is what they should really be worried about?

20 Years of Data Collection Oversight for Facebook

Since 1999, the FTC has used its enforcement authority — under Section 5 cases and complaints alleging violations of COPPA, GLBA and the US-EU Safe Harbor/Privacy Shield arrangements — to settle with companies wherein the company is placed under an FTC consent decree. Major technology organizations, including Facebook, Google, Snapchat, Twitter and Uber, are under 20-year decrees.

In fact, violation of this consent decree is what has led to Facebook’s multibillion-dollar fine along with a brand new consent decree with even more onerous obligations. The extensive list includes:

  • Facebook must create a new independent committee within its board of directors to oversee privacy decisions — a move the FTC says is intended to limit Zuckerberg’s unilateral power.
  • The company must appoint compliance officers who will oversee privacy practices. These officers, along with Zuckerberg, must independently certify that Facebook is complying with the settlement. Any false certification could result in fines.

For the next 20 years, a third-party organization will review Facebook’s data-collection practices — including its other services, Instagram and WhatsApp. 

Related Article: Facebook's Difficult Relationship With Data Privacy

No Business Is Immune From Oversight

While the large corporations usually make headlines, that doesn’t mean small businesses are immune to cybersecurity issues. A quick look at the FTC’s consent orders reveals many of the companies under order are not name-brand organizations. For both small and large companies alike, the cost of compliance increases considerably with an FTC consent order. It also goes beyond the cost of assessments and includes operational costs and possible impacts to reputation.

Under many consent orders, both existing employees and new hires are required to read the order. This poses a problem as there are often documentation and retention requirements that are challenging for many organizations to address as part of normal business practices. In addition to its operational costs, the FTC can request information at any time during the period of the order along with ongoing evidence of compliance for the auditor. Lastly, having a breach or another privacy/security event under an order exposes the organization to the risk of an extremely high fine — just ask Facebook.

Related Article: 2018 in Review: A Year of Technology Reckonings

Do the Right Thing

The FTC and its oversight and enforcement powers — GDPR and soon, the CCPA — are hardly the last opportunities for regulators and consumer advocacy groups to ensure that companies’ business practices appropriately conform to societal expectations of personal data privacy and individual rights.

While the regular practices of companies like Facebook have now been exposed, and data breaches such as Equifax, British Airways and Marriott have been very damaging to consumers, they have also moved the world closer to a regulatory environment in which companies must do the right thing and actively work to change privacy laws. 

Of course, responsible organizations should want to build and maintain trust with their customers. When a breach occurs and the victim organization does not have a reasonable or defensible privacy and security program in place, the impacts are severe.