One key cost of Facebook's privacy pact with the FTC: more lawyers
30 Mar 2020 12:00 am by Mike Swift
Buried more than 50 pages into Facebook’s annual 10-K report is an item that may flag a fuller measure of the cost of its proposed $5 billion privacy settlement with the US Federal Trade Commission: Facebook is hiring a lot more lawyers.
The proposed FTC privacy settlement with Facebook is often described as a $5 billion fine coupled with injunctive relief, including the requirement that Facebook add new privacy oversight functions for its board of directors and senior executives, and perform annual privacy risk assessments. A deeper dive into Facebook’s publicly disclosed financial numbers, however, suggests that the ongoing compliance costs to the company could be expensive, perhaps ultimately more than the one-time $5 billion fine.
The proposed settlement, which still must be approved by a federal judge in Washington, DC, has been highly controversial, with privacy advocates and some lawmakers aggressively questioning the broad release of legal claims against Facebook that go far beyond the Cambridge Analytica privacy leak that prompted the FTC investigation.
A full accounting of what the FTC settlement will cost Facebook and how it may change the company requires a deeper study of the broader changes the company is being forced to make. Facebook told investors in January that the settlement will include significant ongoing privacy compliance costs, which could have a material impact on its operations.
“In particular, we have agreed with the FTC to implement a comprehensive expansion of our privacy program, including substantial management and board of directors oversight, stringent operational requirements and reporting obligations, and a process to regularly certify our compliance with the privacy program to the FTC, which will be challenging and costly to implement,” Facebook told investors in its 2019 10-K filing.
As part of the one-time FTC fine and another record privacy settlement over its use of facial recognition technology recorded on Facebook’s 2019 balance sheet, Facebook had a 203-percent increase in its General and Administrative costs, to $10.5 billion, a line item that includes legal-related costs. Beyond the one-time fines and settlements, the company said cost growth in that category was driven by higher salary and benefits expenses due to a 31 percent increase in employee headcount during 2019.
Many of those new hires are lawyers. Facebook does not break out how many of the new General and Administrative employees are lawyers, or part of any other profession. But the Menlo Park, California, company currently lists more than 200 active job openings tagged for legal or public policy, including "Privacy and Data Policy Manager, Data Ecosystem", and a "Privacy and Data Policy Manager" to work with Facebook engineers "to build privacy into the products and services that we're developing and shape Facebook's privacy vision for Messenger." Both of those openings and many other privacy and data protection listings say a juris doctor degree is required or preferred.
There likely will be other trickle-down impacts of the FTC settlement, Facebook has warned investors. It could make it more difficult, expensive and time-consuming for Facebook to launch new products. Senior management and the board of directors will be required to devote “significant time and attention” to privacy compliance. And Facebook will have to spend more money on its technical ability to lock down personal information and track the way it's shared.
Facebook is also rolling out new privacy disclosure tools, including new data made available starting today that shows users more about how their activity on Facebook and Instagram shapes what they see on those platforms. Those products may require new product development teams, it is understood, although costs for engineers and programmers are generally listed in categories other than General & Administrative.
— Ongoing compliance costs —
Facebook doesn't break out specific regulatory compliance costs. But they are contained in the “General and Administrative” category in its consolidated statements of income, as one of the four overall cost items, which also include sales and marketing, research and development, and “cost of revenue,” which includes the operation of Facebook’s data centers, including energy and bandwidth costs, and traffic and content acquisition costs.
From 2016 through 2018, Facebook’s annual General and Administrative costs grew significantly from $1.7 billion to $3.5 billion. But that increase tracked with the growth in Facebook’s revenues over those three years. The percentage of total revenue going to general and administrative costs staying rock steady between 6.2 and 6.3 percent.
That changed — dramatically — in 2019, as general and administrative costs skyrocketed to $10.5 billion, or 14.8 percent of total revenue of $70.7 billion. General and administrative costs include Facebook’s legal-related costs, as well as salaries and benefits and other compensation for some executives, and the cost for Facebook’s legal, finance, human resources, corporate communications and policy, and other administrative employees.
Last year was the first since Facebook went public in 2012 that General and Administrative costs eclipsed what Facebook spent on sales and marketing. 2019 will be an outlier, of course, in part because of the one-time $5 billion fine, but also because of the record $550 million Facebook agreed to pay to settle class-action privacy litigation in San Francisco over its alleged violation of the Illinois Biometric Information Privacy Act through the company’s use of facial-recognition technology without consent.
“The big driver on G&A was legal settlements,” including the BIPA settlement, Dave Wehner, Facebook’s chief financial officer, told financial analysts on a Jan. 29 earnings call, in which he noted an 87 percent jump in General and Administrative costs over the fourth quarter of 2018. “We're focused on investing to be compliant with new evolving regulations, so there is expense that comes with that to us and obviously to everyone else in the industry, as well.”
Backing the one-time privacy fines and settlements out of Facebook’s 2019 numbers is one way to try to understand which permanent costs are being built into Facebook’s operations for privacy compliance. That analysis is imperfect because of limitations in the data Facebook shares with investors, but it makes clear that the company’s incremental costs for privacy compliance after the FTC order go well beyond paying one-time fines and settlements.
Backing those one-time costs out would have left Facebook spending $4.9 billion on General and Administrative in 2019, or about 7 percent of its total revenue. That's nearly 1 percentage point as a share of revenue more than it spent from 2016 through 2018. One percent of Facebook’s 2019 revenue was about $700 million.
Beyond the one-time privacy fines and settlements, the growth in General and Administrative costs was driven by higher salary and benefits expenses due to a 31 percent increase in employee headcount during 2019. Across the company, Facebook’s employee headcount grew by 26 percent in 2019, to 44,942 people. Facebook declined to disclose the total employee count that underlies the 31 percent increase in headcount.
If Facebook continues to spend 7 percent of its revenue on general and administrative costs instead of the 6 percent it has spent in recent years because of privacy compliance, the annual incremental growth would soon approach $1 billion, as Facebook’s revenues continue to grow.
Such an analysis is imprecise because General and Administrative costs include a wider spectrum of operations than just privacy compliance. Also, the proposed settlement with the FTC was announced halfway through 2019, so Facebook’s 2019 numbers don’t capture a full year of the settlement’s impact. The current Covid-19 crisis is already impacting Facebook’s revenues and could further muddy the picture. And Facebook also must comply with a growing list of comprehensive privacy laws, including Europe’s General Data Protection Regulation and the California Consumer Privacy Act.
But the numbers, perhaps, give a sense of the kind of ongoing costs Facebook will have to pay in the future for its privacy failures in the past. One of those costs is the ongoing legal campaign Facebook has launched against bad actors on its platforms, attempting to use the US courts to police its platform globally.
— Cultural shift? —
It’s also worth thinking about how the influx of lawyers and policy people affects the company beyond budget numbers. The “Move Fast and Break Things” posters in bold, red print that were once a fixture of Facebook’s hacker-culture that glorified disruption — the posters once dotted the walls in Facebook's California headquarters and were still prominent in some Facebook offices outside the US into 2018 — are unlikely to be fixtures in the Facebook legal department.
The substantial growth in compliance staff could create a more conservative, risk-averse culture, which in the end is something that regulators might not be heartbroken to see.
The FTC ’s ambition for the outcome of its landmark privacy settlement with Facebook might seem surprising on the surface: For nothing to happen.
“If we’re successful, then it will be very boring,” Andrew Smith, director of the FTC’s Consumer Protection Bureau, told MLex in a recent interview. “There won’t be any fireworks; there won’t be any law violations; there won’t be any privacy violations — if this works the way it’s supposed to. In a year or two’s time, no news will be good news.”
Smith was recused from the Facebook investigation, so he couldn't discuss details of the settlement. But for the effect of the settlement, he said, it could be judged a success if people soon forget about it.
“Order enforcement and compliance can be challenging — generally, we get blamed if something goes wrong, but we don’t necessarily get credit for the success,” he said.
03 Aug 2020 9:29 pm by Ana Paula CandilCompanies are pressuring Brazilian lawmakers to delay implementation of the nation's data-protection law from Aug. 16 until next May.
Biggest cyberattack ever caused $15 billion loss to customers of companies directly hit, though banks softened impact, study says31 Jul 2020 12:00 pm by Neil RolandThe most damaging cyberattack ever in 2017, caused a $15 billion loss to customers of companies directly hit, a federal study said.
International companies more prepared than local companies for Brazilian data protection law, Alves says30 Jul 2020 11:00 am by Ana Paula CandilInternational companies are much more prepared for Brazil's new data protection law than Brazilian firms because they already comply with similar legislation.