Governance & Risk Management , Privacy
Facebook Takes $3 Billion Hit, Anticipating FTC FineQuestions Loom About Whether Big Fines Will Prompt Privacy Reform
Facebook has set aside $3 billion from its first quarter profit to pay for what is likely to be a record-breaking fine from the U.S. Federal Trade Commission, which is investigating its data-sharing practices.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
On Wednesday, the social network said the FTC fine could be as much as $5 billion. Facebook had expected to post about $5.4 billion in profit over the first three months of this year, but it has revised that to $2.4 billion.
"The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome," according to its earnings release.
Subtracting the money set aside for the fine, Facebook's operating margin is still 22 percent - a respectable figure for any business - but less than half the 46 percent margin it recorded for the prior quarter.
The FTC and Facebook have been negotiating a settlement into whether the social network violated a 2012 agreement with the agency. The FTC investigation was launched as a result of Cambridge Analytica, a defunct voter-profiling firm, which improperly obtained profile data for 87 million Facebook users without their consent (see: Facebook and Cambridge Analytica: Data Scandal Intensifies).
The FTC's investigation continues as technology companies are facing a backlash over issues ranging from election interference to fake news to privacy to the propagation of violent and offensive content. Also, some critics have called for the break-up of dominant U.S. companies, such as Google, Amazon and Facebook, to protect competition.
The Fine: A Red Herring
A multibillion dollar fine would be the largest-ever issued by the FTC. The largest fine to date the FTC has imposed was a $22.5 million fine against Google in 2012.
But the size of the fine may largely be a red herring, says Corynne McSherry, legal director of the Electronic Frontier Foundation.
"I think focusing on the money may distract from where I think the FTC should really be putting its energy, which is thinking about what it needs to put in place to making a consent decree actually meaningful," McSherry says.
Since 2012, Facebook has been under the FTC's watch. It agreed to a settlement that required it to submit third-party audits to the FTC every two years. It wasn't fined at the time, but the FTC warned it could be fined if it violated the agreement.
The FTC accused Facebook of assuring users that their information would be kept private but then making changes to the site's controls that opened up data to the public without users' consent. The agency also contended that Facebook misrepresented the type of access third-party apps could have to personal data and shared personal data with advertisers.
The Cambridge Analytica issue centered on the sharing of personal information. A Cambridge University researcher, Aleksandr Kogan, deployed a personality quiz on Facebook in late 2013. The quiz collected information for not only people who took the quiz, but also of their friends who didn't take the quiz.
Kogan passed the data to Cambridge Analytica, which Facebook contended was against its rules. It would appear that kind of data sharing - without users' permission - would violate the FTC settlement.
Pressure is growing on technology companies as privacy and security regulations are strengthened. The European Union's General Data Protection Regulation is influencing technology companies around the world, which are often opting to adjust to that new high bar even if their home country laws are weaker.
The U.S. is also mulling federal privacy legislation that would offer broader protections to consumers in an economy where personal data is a powerful fuel for profit.
But there are questions if fines are enough, especially because the largest technology companies make billions in profits each quarter. In New York, however, a criminal probe against Facebook is underway, with a grand jury investigating controversial data-sharing deals the social network made (see: Prosecutors Probe Facebook's Data Deals).
There are also questions as to why audits over the intervening years since Facebook's last settlement with FTC didn't raise alarms.
The audits were never intended to be made public. But the Electronic Privacy Information Center, a Washington-based digital watchdog, filed a Freedom of Information Act request in March to obtain three assessments. Last week, EPIC said it obtained a redacted version of a 2017 assessment by PwC.
This time around, McSherry says, the FTC should focus on a new settlement with Facebook that would be meaningful and followed by the company. Longer term, mechanisms need to be put in place to make sure tech companies comply, he says.
"We need transparency as part of a decree now and certainly any regulation down the road," McSherry says. "We need independent audits to be public and not hidden away and ones with real rigor."