Though it may have gotten lost in the coverage of Robert Mueller’s testimony, the Federal Trade Commission reached a record-breaking $5 billion settlement with Facebook regarding the company’s privacy practices. Despite being the second largest civil penalty the FTC has ever levied, many commenters have questioned both the decision to settle the case and its potential to deter companies from engaging in harmful consumer data practices in the future. While they may have a point, this case highlights a more significant challenge: Congress needs to act on consumer privacy.
Existing law limits what the FTC can do to oversee consumer privacy. In this case, the commission’s authority stemmed from Section 5 of the Federal Trade Commission Act and a 2012 consent decree restricting Facebook’s misrepresentation of its data practices. This meant that the FTC was limited to targeting not Facebook’s act of sharing of user data with third parties, among others, but the company’s misrepresentation of, and failure to adequately disclose, what it was doing.
More generally speaking, while the commission can target unfair practices that substantially injure (or are likely to substantially injure) consumers, informational injuries like privacy breaches present a unique challenge because they often involve harms other than financial loss. For the Cambridge Analytica scandal in particular, the specific harm was not to consumers directly but rather to the electoral process as a whole. Quantifying and proving this harm in court would thus have been a difficult task.
Rather than risking defeat in a lengthy court battle, the FTC decided to settle, immediately providing relief to consumers and freeing up Commission resources to protect consumers elsewhere. Yet serious questions remain about whether the FTC could have pursued a more stringent remedy using its existing enforcement tools. And despite what might seem like a massive price tag, a $5 billion settlement is unlikely to deter multibillion-dollar companies like Facebook from acting similarly in the future.
These limits on the FTC’s ability to hold companies accountable demonstrate why it is time for Congress to move forward on a national privacy law.
Rather than the commission relying on its Section 5 general protection authority, which is difficult to apply to informational injuries, a national privacy law could theoretically grant the FTC narrowly targeted notice and comment rulemaking authority to address particular aspects of the collection and use of consumer data. This would allow the agency to clearly outline specific practices that are prohibited and go after violations that would otherwise not run afoul of Section 5.
A national privacy law could also allow the commission to leverage other aspects of its existing Section 5 authority to a more significant extent. In the Facebook case, for instance, the FTC was only able to impose the $5 billion fine because the company violated a consent decree that the FTC issued against it in 2012. If Congress were to draft — or authorize the FTC to draft — clear rules outlining what practices are against the law, the commission wouldn’t need to first obtain a consent decree to pursue civil penalties for violations of commission rules.
A national privacy law could also give the commission more confidence in its ability to win cases in litigation. As many have argued, a major issue with the FTC’s case-by-case approach to privacy enforcement is that its “cases” have no precedential value, and the Commission ends up settling nearly three-quarters of its enforcement actions. The FTC needs to actually litigate these cases in order to provide a clear standard of what conduct is allowed and what conduct is prohibited. With more confidence in its ability to litigate, the FTC may be able to pursue more vigorously its enforcement actions in court.
Finally, litigating cases requires resources. If Congress allocated additional funding to support these efforts, the Commission could acquire the resources it needs to succeed in court.
Those who think the settlement is just a slap on the wrist may be right. However, so long as the FTC can only rely on its existing statutory authority, its enforcement actions will always be limited. It is clear that a national privacy framework needs to move forward, if for no other reason than to ensure that the FTC has the requisite authority to protect consumers.
Image credit: Wachiwit