Following reports that the Federal Trade Commission (FTC) is negotiating penalties for Facebook’s breach of its consent order, U.S. Senators Josh Hawley (R-Mo.) and Richard Blumenthal (D-Conn.) sent a letter to FTC Chairman Joseph Simons to urge the FTC “to act swiftly to conclude its investigation of Facebook and to move to compel sweeping changes to end the social network’s pattern of misuse and abuse of personal data.”
The senators called on the FTC to “pursue deterrent monetary penalties and impose forceful accountability measures on Facebook, including limits on the use of consumer data, managerial responsibility for violations, and other structural remedies to stop further breaches of consumer trust.”
Referring to Facebook’s financial earnings statements in which the social network giant set aside up to $5 billion for a potential fine, the senators urged the FTC to go further than a one-time fine, writing that the “rumored number is a bargain for Facebook,” and “even a fine in the billions is simply a write-down for the company.” Instead, Blumenthal and Hawley urged the FTC to “impose long-term limits on Facebook’s collection and use of personal information.”
The Senators also asked the FTC to hold any Facebook employees – including Mark Zuckerberg – who knowingly broke the law personally responsible, writing, “the FTC considered naming Mark Zuckerberg in its previous consent order but ultimately declined to do so. If the FTC finds that any Facebook executive knowingly broke the consent order or violated the law, it must name them in any further action.”
The full text of the letter is copied below and available here.
May 6, 2019
The Honorable Joseph Simons
Chairman
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Dear Chairman Simons:
We write to urge the Commission to act swiftly to conclude its investigation of Facebook, and to move to compel sweeping changes to end the social network’s pattern of misuse and abuse of personal data. This investigation has been long delayed in conclusion – raising the specter of a remedy that is too little too late. The Facebook consent decree violations have been blatant and brazen, an offensive defiance that adds insult to injury. The public is rightly asking whether Facebook is too big to be held accountable. The FTC must set a resounding precedent that is heard by Facebook and any other tech company that disregards the law in a rapacious quest for growth. The Commission should pursue deterrent monetary penalties and impose forceful accountability measures on Facebook, including limits on the use of consumer data, managerial responsibility for violations, and other structural remedies to stop further breaches of consumer trust.
According to its most recent financial earnings statement, Facebook has estimated that the FTC’s investigation will cost the company between $3 billion to $5 billion.1 While the reported penalty exceeds previous privacy cases, the scope and nature of the allegations are also unprecedented. The Cambridge Analytica incident that initially prompted the investigation affected the personal data of more than 70.6 million Americans, and Facebook still has not fully accounted for similar misuse by other third party applications.2 This also does not consider further issues that the FTC may find in its investigation, such as recent reports that Facebook harvested address books from email accounts without user consent.3
In the same quarter it reported the FTC fine, Facebook recorded $15 billion in revenue, beating market expectations. Considering the maximum civil penalty amount of $42,530 per violation, the rumored number is a bargain for Facebook. Even a fine in the billions is simply a write-down for the company, and large penalties have done little to deter large tech firms.4 If the FTC is seen as traffic police handing out speeding tickets to companies profiting off breaking the law, then Facebook and others will continue to push the boundaries.
Fines alone are insufficient. Far-reaching reforms must finally hold Facebook accountable to consumers. We are deeply concerned that one-time penalties of any size every few years are woefully inadequate to effectively restrain Facebook. The FTC should impose long-term limits on Facebook’s collection and use of personal information. It should consider setting rules of the road on what Facebook can do with consumers’ private information, such as requiring the deletion of tracking data, restricting the collection of certain types of information, curbing advertising practices, and imposing a firewall on sharing private data between different products, including Facebook’s ad platform.
As important as remedies on Facebook as a company are, the FTC should impose tough accountability measures and penalties for individual executives and management responsible for violations of the consent order and for privacy failures. Personal responsibility must be recognized from the top of the corporate board down to the product development teams. For decades, the FTC has understood that some violations require naming specific executives in its consent orders, particular those that “formulates, directs, or controls the policies, acts, or practices” that break the law.5 According to the Washington Post, the FTC considered naming Mark Zuckerberg in its previous consent order but ultimately declined to do so.6 If the FTC finds that any Facebook executive knowingly broke the consent order or violated the law, it must name them in any further action.
It is also time for the FTC to learn from a history of broken and under-enforced consent orders. The FTC has an opportunity to establish a new set of requirements for consent orders that target data privacy cases and provide enduring safeguards for consumers. Such measures could include the direct appointment and oversight of auditors by the FTC, strict board or managerial liability for assessments and compliance, restriction on data practices or collection, and public disclosure of audits.
The Facebook investigation will be a defining moment for the Commission. It must be seen as a strong protector of consumer privacy and begin to set out a new era of enforcement, or it will not be taken as a credible enforcer. Action is overdue.
Thank you for your attention to this important matter.
- “Facebook Reports First Quarter 2019 Results”, Facebook, accessed April 30, 2019.
- Schroepfer, Mike “An Update on Our Plans to Restrict Data Access on Facebook”, Facebook, last modified April 4, 2018.
- Goodin, Dan “In new gaffe, Facebook improperly collects email contacts for 1.5 million”, Arstechnica, last modified April 8, 2019.
Franceschi-Bicchiera, Lorenzo “Facebook’s Phone Number Policy Could Push Users to Not Trust Two-Factor Authentication”, Motherboard, last modified May 4, 2019. - Bartunek, Robert-Jan, Blenkinsop, Philip, Mahlich, Greg “EU fines Facebook 110 million euros over WhatsApp deal”, Reuters, last modified May 18, 2017.
“Google Forfeits $500 Million Generated by Online Ads & Prescription Drug Sales by Canadian Online Pharmacies”, Department of Justice, Office of Public Affairs, last modified August 24, 2011.
Satariano, Adam “Google Fined $1.7 Billion by E.U. for Unfair Advertising Rules”, The New York Times, last modified March 20 2019. - “Docket No. C-4161 Decision and Order”, United States of America Federal Trade Commission, last modified June 20, 2006.
- Romm, Tony “Facebook CEO Mark Zuckerberg said to be under close scrutiny in federal privacy probe”, The Washington Post, last modified April 19, 2019.