FTC failed to enforce Facebook consent decree, critics charge amid firestorm
By Kirk Victor. Originally published on FTCWatch™ on April 2, 2018
Top Federal Trade Commission officials boasted of their tough consent decree in 2011 that required Facebook to keep its promise to protect users’ information, but critics charge the agency failed to enforce the decree despite being warned years ago that the social network was violating it.
“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” Jon Leibowitz, then the FTC’s chairman, said in November 2011 when the agency announced the company had settled charges of deceiving users by telling them they could keep their information private only to allow it to be made public. Facebook agreed to take a series of steps to protect data in the future.
“Facebook's innovation does not have to come at the expense of consumer privacy,” Leibowitz added. “The FTC action will ensure it will not.”
But after signing the decree, the FTC didn’t effectively oversee it, consumer activists contend. Instead, it took the recent political firestorm aimed at Facebook to prod the commission into taking the unusual step of announcing that it had launched a “non-public investigation,” they say.
“The FTC failed to enforce the consent decree,” Jeffrey Chester, executive director of the Center for Digital Democracy, a privacy advocacy group, said in an interview. “If it wasn’t on the front page of every newspaper around the world and lead stories on television and with powerful politicians for the first time unfriending Facebook, the FTC would still not be doing anything.”
“I was going through my records the other day and looked at how many times I sent them information in 2014 — saying Facebook is violating the consent decree. I met with Jim Kohm’s team [in charge of enforcing the decree] twice. I sent them numerous e-mails,” Chester continued.
The consent decree barred Facebook from making further deceptive privacy claims, required the company to get consumers’ approval before data about them is shared beyond the privacy settings they have set, and required that Facebook obtain periodic assessments of its privacy practices by independent, third-party auditors for 20 years.
Jessica Rich, then the director of the FTC’s Bureau of Consumer Protection, was as emphatic as Leibowitz in an interview with MLex in 2016: “All of our data security orders — and some of our privacy orders, too — require the companies under order to establish and maintain comprehensive programs to protect consumer data. We closely monitor these orders and we believe they provide important guidance to not just the companies subject to them, but all companies that handle sensitive consumer data.”
But Rich’s reassurance was belied when news exploded that Cambridge Analytica, a British data analytics firm that worked for the Donald Trump presidential campaign, may have accessed as many as 50 million Facebook users’ data without their consent.
Since then, the social network has been under fire. On Capitol Hill, lawmakers are seeking answers from CEO Mark Zuckerberg (who has agreed to testify). Thirty-seven state attorneys general also are demanding more information, several class actions have charged the company was negligent and the FTC has launched its investigation.
While Zuckerberg has taken out full page ads in leading newspapers to apologize for a “breach of trust,” the company had earlier issued a statement to The Washington Post that “we reject any suggestion of violation of the consent decree. We respected the privacy settings that people had in place.”
More recently, Facebook announced various steps that it says will better enable users to control their personal data.
Meanwhile, consumer advocates are directing much of their ire at the FTC.
“I’m glad people are finally saying that maybe they should enforce their consent orders, but it is a little bit ironic that the people who were there [at the agency] back in the day and could have done something are now the ones saying that the FTC should act,” Marc Rotenberg, president and executive director of the Electronic Privacy Information Center, said in an interview.
“This whole Cambridge Analytica controversy can be laid directly at the doors of the Federal Trade Commission,” Chester said. “Despite the consent decree, Facebook expanded its data gathering practices without constraint every day. I made all of that information available to the FTC. … You know how many e-mails I sent? Hundreds. I said, ‘Here is what they are doing — it is not permitted by the consent decree.’”
Rotenberg also noted that EPIC had “repeatedly told the commission, every time they asked what do we need to do, we answered very simply, ‘enforce your consent orders.’ We said to the FTC that there should be a formal process every time there is a substantial change in business practice that implicates personal data by a company that is subject to a consent order concerning privacy. The FTC has an affirmative obligation to determine whether that change in business practice violates the consent order.”
“We wanted them to create a formal process, and we wanted them to stay on top of these companies. It didn’t happen,” he added. “What most of the world doesn’t understand is that the company was actually subject to a legal order. It wasn’t, ‘maybe we can go ask Mark Zuckerberg to be nicer.’ We knew in Washington what the constraints on the practices were supposed to be, and the FTC simply dropped the ball.”
Other advocates share that anger, as reflected in a letter signed by 17 leading consumer privacy groups last month to FTC acting Chairman Maureen Ohlhausen and Commissioner Terrell McSweeny, charging: “It is unconscionable that the FTC allowed this unprecedented disclosure of Americans’ personal data to occur. The FTC’s failure to act imperils not only privacy but democracy as well.”
The FTC declined to respond to these charges.
“The problem is a problem all enforcement agencies have: It is easier to write a decree than to actually monitor compliance with it,” Tim Wu, a professor at Columbia Law School, wrote FTC:WATCH in an e-mail. “The FTC relied on third-party audits, but from what I've seen of the audits, they were superficial. They certainly didn't catch the problems we are dealing with now.”
Wu suggested an approach that might induce companies to be diligent in abiding by such decrees.
“Perhaps, in a big case, the FTC should force itself to do a re-investigation of the target after some period — like three years — to see if the problems have actually gone away,” Wu wrote. “Staff might find that tedious, but the knowledge that the FTC and its lawyers would be coming back might be far more powerful a deterrent than any third-party auditor.”
David Vladeck, who was director of the Bureau of Consumer Protection when the decree was struck, noted in an interview that one “problem that the agency faces is that part of this depends on the ability of the clients, the willingness of clients to, basically, come clean when there are problems.”
“It may be — and I am just speculating and don’t know this for a fact, but it may be that there are things that Facebook should have reported to the FTC that it didn’t,” he added.
As for what the FTC might do now, Vladeck, a professor at Georgetown Law School, noted that if the investigation “finds there have been violations of the consent order, they will bash Facebook upside the head.”
Vladeck noted a penalty could be “astronomical — it’s 50 million people times $40,000. I can’t count that many zeroes. Of course the agency is not going to try to pull the plug on this company by imposing a trillion dollars sanction, but the money goes up quick.”
If it got to that assessment, Vladeck says the agency will consider “a lot of factors: one is the gravity of the violation; the efforts, if any, Facebook took to remediate the violation; how cooperative it has been; what sort of deterrent message the agency wants to send, not simply to Facebook, but to other Internet giants. ... If there is a violation here — that is up for the agency to decide — this could be a very, very substantial civil penalty.”