On April 24, 2019, Facebook announced to investors that it expects to set aside an amount between $3 billion and $5 billion in relation to the investigation by the United States Federal Trade Commission (FTC) regarding Cambridge Analytica prior to any final judgment on the matter. In mid-July, it was reported that the FTC voted to approve a roughly $5 billion settlement in relation to that investigation (and, while this decision has not yet been officially announced, it is widely expected to eventually be approved and finalized by the Department of Justice). Currently, the highest penalty for violation of an FTC order is the $22.5 million that Google agreed to pay in 2012 as part of a settlement agreement. A potential fine of this unprecedented size prompts the question: How did we get here?
The mechanics that underlie the answer to this question are important. The United States has taken a data- or sector-specific approach to privacy regulation. However, all remaining privacy matters have fallen under the purview of the FTC Act. Specifically, Section 5 of the FTC Act (15 U.S.C. § 45) prohibits “unfair or deceptive acts or practices in or affecting commerce” and empowers the FTC to investigate any such acts and practices. It is under this mandate that the FTC has regulated business practices that affect consumer privacy and data security. For example, the FTC brings enforcement actions against entities that fail to comply with their published privacy policies.
These initial violations in and of themselves, however, do not lead to the levying of large fines. Rather, the monetary penalty provisions of Section 5 are generally triggered by the violation of a final FTC order. The FTC must first launch an administrative investigation into the actions that allegedly violate Section 5. If the FTC has reason to believe that a violation of Section 5 has occurred, it may issue a complaint setting forth its charges, which initiates an administrative trial in the FTC. The trials are often resolved by the investigated entity signing a consent decree, without admitting liability. Once approved, the consent decree is entered as the final FTC order terminating that trial. The decree typically outlines, in detail and with greater specificity, the precise actions that the entity must avoid or take—at least as it relates to the alleged conduct under administrative scrutiny—in order to not run afoul of Section 5 going forward. A consent decree essentially has the force of law.
Facebook agreed to a consent decree in November 2011, which was entered in July 2012 as the final FTC order, in an investigation and subsequent administrative trial alleging that, contrary to Facebook’s privacy settings pages, user information was made available to persons and entities beyond the scope of user consent and without user knowledge. In the consent decree, Facebook agreed, among other things, not to “misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information, including, but not limited to . . . its collection or disclosure of any covered information . . . .” “Covered information” was defined in the decree to include a range of personal information, including a user’s name, address, email address, phone number, and screen name or user handle.
If the FTC suspects a violation of a consent decree, it may launch another investigation. For an alleged violation of a consent decree, the FTC may rely on a separate provision of Section 5 to bring suit directly in federal district court and seek payment of civil penalties. This provision states that any person, partnership or corporation that violates a final order of the FTC may be subject to a civil penalty for each violation. At the time of Facebook’s consent decree, the penalty was $16,000 per violation. The penalty was adjusted to $40,000 in 2016 under updates to the laws and regulations related to civil penalties in order to account for “catch-up” inflation adjustments. The adjustments in recent years have been smaller and in accordance with a prescribed schedule. The current penalty is $42,530, which will apply retroactively to any prior violations.
Notably, what constitutes a single violation of a consent decree has been interpreted rather broadly and could be interpreted to encompass an alleged misrepresentation on a per-affected-user basis. The cumulative effect of this penalty calculation provision could, therefore, theoretically lead to GDPR-like penalties. It is in view of this framework that the FTC and Facebook have reportedly agreed to settle the current FTC investigation for roughly $5 billion.