Another Episode of “Facebook and the FTC”

​We have all seen Mark Zuckerberg’s picture in the news recently when as Facebook CEO he answered questions before multiple Congressional committees about consumer privacy. The March reports involving Cambridge Analytica have sparked renewed concern and outrage, as well as a spate of lawsuits, regarding user privacy.

​To reprise that story: Facebook confirms that Dr. Aleksandr Kogan harvested data on up to 87 million Facebook users through an app. Later Dr. Kogan apparently shared a significant portion of this information with Cambridge Analytica, a political consulting firm. When this incident first surfaced in December 2015, Facebook stated it was investigating. Nevertheless, Facebook didn’t inform the affected users of this breach of privacy at that time, as Senator Kamala Harris reminded us during the Senate hearing on April 10. And Facebook didn’t suspend Cambridge Analytica until March 2018.

​This is not the first user data incident for the social media giant that has caught the attention of the Federal Trade Commission.

​The Facebook consumer protection saga began before this in 2009 when the FTC began investigating the social media giant for mishandling private user data. The investigation led to the 2011 FTC settlement with a consent decree with Facebook. In a press release announcing the settlement, the agency highlighted seven instances where Facebook allegedly made promises to users that were later broken.

​This consent decree also gave a formal checklist of stipulations on how Facebook was to proceed in the future regarding user privacy. These requirements included: to not misrepresent the extent of user privacy, to get prior consent before sharing beyond user privacy preferences, to remove all access to data within 30 days of user deletion, to implement a comprehensive privacy program and to complete a biennial audit by a qualified third-party firm to ensure compliance. There was no financial penalty for the company at the time, but the FTC noted that future violations might incur a $16,000 fine per instance.

​Now the FTC has confirmed that it is investigating whether Facebook has failed to keep the 2011 consent decree requirements.

​“Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements,” Tom Pahl, acting director of Bureau of Consumer Protection, said in a statement. “Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook.”

​This ongoing pattern of privacy breaches suggests that Facebook is not self-regulating in this area. Indeed, in reviewing the history of Facebook user data missteps, one may ask if the company is operating in good faith with its users. Senator Richard Blumenthal said, “It’s really a kind of high noon for Mark Zuckerberg…He has to have a better answer than just, ‘I made a mistake.’ He didn’t just spill milk on the breakfast table. There is a more fundamental issue related to Facebook’s business model—they sell your information without your consent. That’s what has to change.”

​We see from these events that we are going to have to seriously rethink our privacy laws as a nation. We can expect some sort of regulation to develop from these conversations on privacy. Traditional media forms have been government-regulated since the early 1900s. New laws would necessarily apply to all companies that handle personal data, so we must all be part of this conversation.

​As a nation, our policy development will be affected by the EU’s General Data Protection Regulation (GDPR) that takes effect on May 25, 2018. Because GDPR requires all organizations dealing with data owned by EU citizens to follow certain guidelines, U.S. companies have been preparing for years to comply with these stricter standards of handling user information for citizens of the EU. Facebook needs to identify how their forthcoming policy changes will fit into this new data policy landscape.

​Throughout the latest events, from Senate hearings and data exploitation, Facebook has been on the wrong foot. Yes, Facebook is a business, and data is their product, but rather than reacting to each breach, the social media company needs to be looking ahead to prevent misuse of their platforms.