Lessons from the FTC’s Facebook saga
The FTC’s settlement with Facebook does little to change or restrict repeat business practices.
Now I want to discuss one of the best examples of failure to crack down on repeat offenders: the Federal Trade Commission’s (FTC) treatment of one of the largest and most well-known companies in the world: Facebook. Facebook is a clear example of a politically powerful company that has routinely violated the terms of its government order with no real consequences.
I raise Facebook not only because it is a glaring case, but also because of the potential entry of very large companies entering financial services. It’s clear that Big Tech wants to get into financial services, as we saw with Facebook’s failed attempt to create a new global currency. We’ve also seen Alibaba, Amazon, Google, and Tencent move into financial services, including payments, money management, insurance, and lending. Given their size and customer base, their entry has the potential to transform the industry. How these companies engage in other business practices is how we might expect them to engage in financial services, so it’s worth going into the specifics of the matter. FTC against one of the biggest players in this field.
In 2011, the FTC voted to file an eight-count complaint against Facebook. According to the FTC, Facebook “deceived consumers by telling them they could keep their Facebook information private, then repeatedly allowing it to be shared and made public.” The FTC simultaneously settled the case with no money, but demanded that Facebook stop its deceptive conduct and implement a program to ensure that privacy promises are kept. The settlement also gave the Commission broad access to company documents and personnel to ensure that the company would no longer break the law.
I came to the FTC as commissioner in May 2018. The agency was in decay and disarray after years of lax enforcement against big business, spanning multiple jurisdictions. In some of the most pervasive recent national crises, from the financial disaster of 2008 to the opioid epidemic to the student loan and for-profit college scandals, the FTC was essentially absent. On a bipartisan basis, the Commission relied heavily on a “no money, no fault” settlement strategy, where wrongdoers suffered no consequences, even in cases of blatant fraud.
In Facebook’s case, however, the company was already subject to an FTC order, and violations of an order were subject to significant consequences under applicable law. But to many observers, the FTC seemed to just be watching as its orders were openly flouted.
A few months before I arrived at the Commission, it emerged that Facebook had allowed Cambridge Analytica, a data analysis company, to collect information from more than 50 million people and use it for political purposes. It was just one of many controversies where Facebook broke its promises to employ reasonable safeguards to keep personal information private unless the user gave explicit affirmative consent.
For the credibility of the US government, I thought it was essential that the FTC enforce its own order. For years and years, however, the commissioners frustrated the staff of the agency. the commissioners have deployed armies for small-scale scams, while depriving staff of the resources needed to monitor Facebook and other Big Tech companies. It was clear that these companies didn’t think the FTC was serious at all.
In the summer of 2019, the FTC prepared a fifty-page, six-point complaint that detailed a long list of privacy breaches, including material breaches of orders. This was clearly only scratching the surface of the company’s problems. But rather than fully investigate the matter or demand significant changes to Facebook’s data collection practices, the commissioners pursued what many believed was a publicity stunt.
I agree that the negotiated settlement accepted by a majority of the Commission made the headlines. But the fine print of the settlement gave Facebook plenty to celebrate. Facebook would pay a $5 billion fine but did not have to make any substantial changes to its business practices. Surprisingly, Facebook was able to secure a highly unusual immunity clause for its executives, including Mark Zuckerberg and Sheryl Sandberg. Zuckerberg was also able to retain absolute control over the company; although the settlement required a so-called independent privacy committee whose members would have to be approved by shareholder vote; and we know that Zuckerberg essentially controls a supermajority of voting power.
Three of the commissioners held a press conference, complete with custom graphics, about the “record” nature of the settlement. In fairness, $5 billion seems very significant. But Facebook had become one of the most valuable companies in the world, approaching a trillion dollar valuation. During the press conference, a senior career official widely admitted that the commissioners had agreed to waive seeking testimony and documents from Zuckerberg in exchange for a higher fine. It was clear to many that the company had paid the FTC to minimize scrutiny of its top executives’ role in the violations of the orders.
News of the settlement quickly set off alarm bells among data protection regulators around the world. A global consensus emerged that the settlement was a sham.
In my voting statement against the settlement, I described how Facebook flagrantly violated the FTC’s 2012 order and how the proposed settlement did little to change the business model or practices that led to the recurrence. . The settlement did not impose any significant changes to the corporate structure or financial incentives, which led to the violations. It also did not include restrictions on mass surveillance or the company’s advertising tactics. Instead, the order allowed Facebook to decide for itself how much information it could harvest from users and what it could do with that information, as long as it created a paper trail. .
The proposed settlement allowed Facebook to get off the hook for unspecified violations and gave Facebook an unusually broad legal shield, a departure from standard FTC practice. Indeed, when the settlement was announced against Facebook, its stock skyrocketed.
In my opinion, there have been many lessons to be learned from the FTC’s Facebook saga:
• For very large companies, seemingly large fines, even those that “set records”, may seem very punitive, but may have little effect;
• Corporate boards will do their utmost to shield senior executives from scrutiny, even if they are all bound by agency orders; and
• Committees, paperwork, compliance units and other procedural requirements have much higher oversight costs than clear structural solutions that significantly alter business incentives.
We need to learn from these lessons to think not only about how to stop recidivism, but also about how to treat small and large businesses equally when it comes to repressive actions.
This essay is part of a three-part series based on remarks made at the Annual Distinguished Lecture on Regulation at the University of Pennsylvania Law School on March 28, 2022.