Facebook was already in a world of trouble following revelations that Cambridge Analytica used misappropriated data from users in its political ad targeting during the 2016 election.
Facebook user rage spiked and many voices called for investigations even as Mark Zuckerberg remained silent about the breach for five days before offering an explanation and apology. Since then Facebook’s situation has only gotten worse.
On March 26, Tom Pahl, the Federal Trade Commission’s acting director of the Bureau of Consumer Protection released a statement confirming that the agency is investigating Facebook for violations of a 2012 consent decree that established requirements for how Facebook protects user data.
“Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements,” Pahl said in his statement. “Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”
The penalties for violating such an agreement with the FTC include fines of up to $40,000 per violation. In addition, the FTC can make the consent decree even stronger by subjecting Facebook to greater regulation.
Facebook already faces more stringent regulation in Europe. The way it handles user data will be controlled by the General Data Protection Regulation when it goes into effect on May 25.
Furthermore Germany’s Justice Minister Katarina Barley reportedly has summoned Facebook executives into a meeting to explain the data loss. Barley told Reuters that breaches such as Facebook’s can’t happen again and that Facebook would be regulated much more strictly. Apparently she feels that the GDPR on its own isn’t strict enough, given Facebook’s practices.
Facebook may also face consequences beyond whatever action the FTC takes. According to Thomas Jackson, a partner at Phillips Nizer who chairs that firm’s technology practice group, the FTC investigation could also open the door to state attorneys general to take their own actions. “The FTC’s jurisdiction is somewhat limited,” he said.
At least 37 state attorneys general are demanding information from Facebook about when the breach occurred, when Facebook become aware of the breach and what safeguards were in place to protect users’ privacy.
Cook County, Ill. has filed suit in Circuit Court on behalf of millions of Illinois residents claiming that Facebook committed fraud for failing to protect users’ privacy.
Meanwhile, others in the tech industry are beginning to call for regulation including Apple CEO Tim Cook. “I think that this certain situation is so dire and has become so large that probably some well-crafted regulation is necessary,” Cook reportedly told Bloomberg during a meeting in Beijing over the weekend.
Cook is well known for his strong stance on privacy, even to the extent of defying government investigators who wanted Apple to help break its iPhone encryption. Cook said that he’s been worried for years that people were giving up their personal information without realizing it was happening.
Cook’s call for services such as Facebook to be regulated are certain to resonate with many in Congress who are already studying the idea. The Commerce Committees of both the House of Representatives and the Senate have indicated that they want Zuckerberg to testify. Members of those committees are already discussing what social media data protection regulations should look like.
The Senate Commerce Committee have already sent Zuckerberg a series of questions about the Cambridge Analytica breach and Facebook’s subsequent handling of user notifications and data handling.
At this point there’s no agreement about what regulation might look like, or even whether it should take the form of legislation or FTC regulation. The FTC has the framework in place to protect consumer privacy, but it’s not clear that it has the statutory authority to handle situations such as Facebook’s widespread data sharing with advertisers or market researchers.
“There needs to be some balance struck so that social media companies have the ability to monetize what they’re offering,” Jackson said, but he added that social media companies to take responsible positions on how that information is used.
The regulatory picture may change following the FTC investigation if the agency finds that Facebook violated its consent decree, but that doesn’t necessarily bind other social media networks.
What Congress needs to do is find a way through legislation to create a framework for consumer data protection as it applies to all cloud-based services, not just social media. Consumers need to know how their data is being protected, who’s keeping it and in some cases where it’s stored. Companies that use and store consumer data should be prepared to explain what they do to it, and they should be accountable for what happens to it.
At a minimum, that protection must include data security protections meeting a set of defined standards, it must include encryption, and it must include strict limits on data sharing.
Note that this suggestion goes beyond just social media, and while it applies to those companies, it must also apply to other collectors of personal data, including services such as Equifax, not to mention everything from cable television providers to insurance companies.
As it is now, when consumer data gets breached and exposed or stolen, the only consequence seems to be a sort of corporate “Oops, my bad.”
One of the significant parts of the EU’s GDPR is that there are real consequences for bad corporate behavior. While the GDPR may be too strict in the eyes of U.S. lawmakers, the idea that people’s data has value and must be protected is one that needs to be codified.
As it is right now, market forces aren’t doing anything to correct the kind of loose behavior that we’ve seen with Facebook and in previous data breaches involving Equifax, Uber and a number of other companies that failed to protect their customers’ data.
Like the GDPR, the financial penalties should be significant, but there should also be criminal penalties when the behavior is particularly egregious. Ultimately, nothing gets a board’s attention like seeing their CEO in an orange jumpsuit.