The Federal Trade Commission issued a $5 billion fine against Facebook on Wednesday. It’s an eye-popping number for sure, one that blows previous fines out of the water.
It’s a number that makes for impressive headlines, but it is largely meaningless. Facebook posted $15 billion in revenue last quarter, at which point it announced that it had set aside $3 billion to pay potential fines. Facebook’s stock price barely budged when the size of the expected fine was first reported this month. After the FTC’s official announcement on Wednesday, the stock price closed slightly higher than at opening.
The weightlessness of the fine isn’t the only problem with the deal. The settlement order grants Facebook and its officers immunity in a wide range of possible misdeeds committed before June 12. The agency has also declined to hold Mark Zuckerberg — or anyone else — personally liable for Facebook’s repeated privacy violations. Come again?
Yes, Facebook has agreed to sweeping new oversight of how the company handles personal data, which includes information like names, phone numbers, IP addresses and even biometric information. But the oversight largely consists of a mandatory privacy program to be created by Facebook, for Facebook.
The company agreed to a privacy program back in 2011 when it first got into trouble with the FTC. The new privacy program is much more stringently outlined, but it is not enough. In the words of Commissioner Rohit Chopra, who cast one of two dissenting votes on the new deal: “The settlement imposes no meaningful changes to the company’s structure or financial incentives, which led to these violations. Nor does it include any restrictions on the company’s mass surveillance or advertising tactics.”
All it takes to show the fundamental dysfunction at the heart of American privacy law is to revisit the story of how we got to this $5 billion fine.
In 2010, Facebook changed its privacy controls without warning its users, when it started “Instant Personalization” — where the site handed personal data over to third parties like Pandora and Yelp without informing users ahead of time. It kicked off enough of a controversy that four senators objected and the Electronic Privacy Information Center filed a complaint with the FTC.
The commission found that Facebook had engaged in “unfair and deceptive practices” through its actions. “Facebook represented that third-party apps that users installed would have access only to user information that they needed to operate,” the FTC said in 2011. “In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.”
Facebook repented and settled with the FTC, placing itself under a consent decree. The agreement required Facebook to stop making “misrepresentations” about users’ privacy and security, to create a comprehensive privacy program to deal with the user data it was charged with sharing, and to audit its privacy program every two years for the next 20 years.
Under the agreement Facebook is liable for up to $16,000 (adjusted for inflation) a day per infraction. It’s not just that Facebook, a more than $570 billion company, should have known better. It did know better. The FTC has it in writing.
Three years later, Facebook allowed a personality test app to harvest data on nearly 87 million people — data that was fed to a political consultancy called Cambridge Analytica, in order to develop psychological profiles of American voters.
On its own, what happened between Facebook and Cambridge Analytica may not have been explicitly illegal under American law, but Facebook’s actions did violate the consent decree.
The Federal Trade Commission is also responsible for this state of affairs — its lenient attitude toward Silicon Valley allowed the industry to misbehave. And when the FTC did strive to protect Americans’ privacy, its resources were never quite enough to stand up to tech giants. The budget of the agency — of which its digital privacy division is only a small part — is smaller than the office of the California attorney general. Yet this is an agency expected to police companies valued at half a trillion dollars.
On the same day that the FTC announced the new settlement and $5 billion fine on Facebook, the company disclosed that it was the subject of an antitrust investigation by the agency, and possibly by the Justice Department as well. But despite renewed interest in antitrust for the tech industry, antitrust law itself must evolve before robust government oversight has any chance of taking place.
This week, Zuckerberg announced major changes to his company’s privacy protections. “Overall, these changes go beyond anything required under U.S. law today,” he wrote in a Facebook post. He is right. And that’s a profound condemnation of American privacy laws.
This article originally appeared in The New York Times.