Facebook Violated Its 2011 Consent Decree
NOTE TO REPORTERS
Public reports indicate that the Federal Trade Commission (FTC) and Facebook are in the final stages of negotiating a settlement of charges that the company violated its 2011 consent decree.
Public Citizen’s comments on elements of a settlement that would meaningfully restrain Facebook from future privacy abuses:
- A larger monetary penalty is needed. $3 billion or $5 billion is a very substantial penalty, especially for the Federal Trade Commission. But that the markets responded so favorably to Facebook’s announcement that it expected a penalty in this range is clear evidence that an even steeper fine is needed to shake up the status quo at Facebook.
- Holding Zuckerberg accountable is a good idea but has limitations. Holding Mark Zuckerberg personally liable for any future privacy infractions at Facebook is an excellent idea, but it has limitations, and should not be considered a key element of what defines a strong and effective settlement with Facebook.
Although it is desirable to impose an affirmative duty on CEOs to ensure their companies comply with the law, regulators are very reluctant to enforce such obligations. Even when the duty is specific and personal, regulators remain sympathetic to the notion that CEOs can’t know everything that happens inside of their company, and they tend not to appreciate that CEOs are responsible for setting corporate norms for complying with the law. The best evidence of the limitations of personal accountability is SarbanesOxley Act of 2002.
- A privacy oversight committee is desirable but not likely to be transformative. There is reason to be skeptical of the notion that a privacy officer or privacy oversight committee will make a difference at Facebook. Beyond the fact that it like every company is required to follow the law, it was already operating under a consent decree – which it violated in epic fashion. Additional compliance systems are not likely to do the trick. There is an extensive track record of monitors appointed to ensure compliance in the wake of convictions or settlements, and the record is not good.
If a privacy oversight committee is established, it should publish its findings, have guaranteed access to internal company information, function independently of Facebook (which would require, among other measures, that oversight committee members not serve at the pleasure of Facebook), be empowered to hear claims from internal whistleblowers and to afford protection to those whistleblowers, serve as an empowered ombudsman to hear and demand action to remedy consumer privacy complaints. But no one should expect a privacy officer or oversight committee to transform practices at Facebook.
- The settlement should include prohibitions on specific anti-privacy practices. Pro-privacy measures that should be included in a Facebook settlement should ban particularly concerning practices. These include:
- Limits on Facebook’s ability to share user data with outside parties.
- Prohibitions on Facebook’s tracking of users when they are accessing online content or services outside of Facebook.
- A ban on users functioning as de facto marketers to their friends unless they affirmatively aim to do so.
- Remedies should prevent Facebook from expanding its market power. Facebook’s size and scope make it difficult for users to avoid using the company’s products and escaping from its surveillance and privacy intrusions. The problem is not just a lack of alternatives to Facebook, but the network effects of its monopolistic position. Refusing to use Facebook means declining social media engagement with most of a person’s friends, acquaintances and colleagues. It is as if choosing an alternative phone service to Verizon meant giving up the possibility of calling most people. Given that backdrop and Facebook’s repeated failure to respect user privacy, we believe the FTC should act to break up Facebook. Recognizing that such action will not come as part of a settlement agreement, the FTC should still insist on structural remedies that prevent Facebook from consolidating further its market power further and give users better alternatives than the Facebook privacy regime. These should include:
- A prohibition on the merger of Facebook Messenger, WhatsApp and Instagram messages, so that Facebook cannot leverage network effects to force users to use its instant messaging services.
- A prohibition or at minimum lengthy moratorium on Facebook acquisitions, so the company can expand its reach further and swallow future competitors, including competitors who may choose to compete on privacy-related dimensions.
- Obligations for interoperability, so that users can rely on services with different features and privacy protections, and still communicate with friends and associates on Facebook properties.