Facebook Sees ‘Significant Harm’ in Emerging Regulatory Hurdles

The filing disclosed how potential changes to U.S. and international regulatory laws could “significantly affect” the business, particularly if they involve changes regarding user privacy, data protection, intellectual property, competition, protection of minors, and online payment services, among others. “A number of proposals are pending before federal, state, and foreign legislative and regulatory bodies that could significantly affect our business,” the filing said. “These U.S. federal and state and foreign laws and regulations are constantly evolving and can be subject to significant change.”

Facebook is already bound to regulatory agreements concerning alleged privacy errors, and any violation of those orders or consent decrees could subject the company to “substantial monetary fines and other penalties that could negatively affect our financial condition,” the filing said. Last year, Facebook settled with the FTC on allegations that it made deceptive claims about user privacy when it made changes to the framework of its social network in December 2009 (WID Nov 30 p1). Under the settlement, Facebook was ordered to implement a comprehensive privacy program to address the violations and do audits of its privacy controls every two years for the next 20 years. If Facebook violates the settlement, it will be subject to a penalty of $16,000 per violation per day.

But Facebook may actually be in a better position than other Internet companies because they have agreements in Europe, Canada and the U.S. that define the limits of their current practices, said Jules Polonetsky, director and co-chair of the Future of Privacy Forum: “In some degree they have a little more certainty because they have signed agreements and have an understanding of the parameters they are working with.”

"One serious change for the company is that as a public entity there are some things [Facebook] will no longer be able to keep private,” said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse. “Now they must disclose any public event that could have a material effect on their business,” he said. “There will be much more transparency and we will learn about risks sooner,” Polonetsky said. “Previously any risks to Facebook’s business operations weren’t necessarily public unless they were compelled by a federal agency to disclose them,” he said.

Both the FTC and the Department of Commerce plan to introduce new online privacy guidelines for U.S. companies this year. The recommendations could be incorporated into legislation that would require companies to implement new data security policies and provide notification to consumers when there is a security breach. In December the FTC held a public workshop to discuss the privacy implications of facial recognition technologies similar to those employed on Facebook’s social network. And more recently the FTC Division of Financial Practices is developing greater focus and scrutiny on the mobile space in order to protect consumers (WID Jan 12 p7).

Last year the FTC offered more than two dozen changes to the Children’s Online Privacy Protection Act (COPPA) rule that would impose new requirements on website operators with the aim of protecting children from online threats. Among its proposed changes, the FTC sought to expand its governance of personal information, online services, and parental notification requirements relating to children under the age of 13 (WID Jan 3 p2).

If the FTC does finalize its COPPA revisions it’s “going to be a pressure point” for Facebook that “could be incredibly expensive for them to comply with,” said Justin Brookman, director of the Center for Democracy and Technology’s project on consumer privacy. Stephens agreed: “There certainly are going to be implications for Facebook. There is no question that there are a lot of people on Facebook that shouldn’t be on there because they are too young.” But Polonetsky said he didn’t think there’s anything in the proposed COPPA rule that specifically targets Facebook: “Most of the issues raised are fairly relevant to any site that has kids. I don’t think [Facebook] comes out much differently.”

This year Congress is considering a pair of do-not-track bills by Reps. Ed Markey, D-Mass. (HR-1895), and Jackie Speier, D-Calif. (HR-654). A location privacy bill (HR-2168) by Rep. Jason Chaffetz, R-Utah, is pending in the House Judiciary Subcommittee on Crime and the Permanent Select Committee on Intelligence. Also pending before Senate Commerce is a do-not-track bill (S-913) by Chairman Jay Rockefeller, D-W.Va., and a commercial privacy bill by Senate Communications Subcommittee Chairman John Kerry, D-Mass. At the Senate Judiciary Committee are location privacy bills by Sen. Al Franken, D-Minn. (S-1223), and Ron Wyden, D-Ore. (S-1212), and an update to the Electronic Communications Privacy Act (ECPA) by Chairman Patrick Leahy, D-Vt.

Proposed anti-piracy laws like the Stop Online Piracy Act (SOPA), the Senate companion PROTECT IP Act and even the rival OPEN Act aim to create new obligations for companies like Facebook. Facebook was a vocal opponent of the bills, which its policy blog said contain “overly broad definitions and create a new private cause of action against companies on the basis of those expansive definitions” (WID Jan 25 p1). “These existing and proposed laws and regulations can be costly to comply with and can delay or impede the development of new products, result in negative publicity, increase our operating costs, require significant management time and attention, and subject us to claims or other remedies, including fines or demands that we modify or cease existing business practices,” the filing said.

Lawmakers are also pushing a handful of data protection bills that could impose additional security mandates on a company that takes pride in its hacking roots. Rep. Mary Bono Mack, R-Calif., is the author of the Safe Data Act (HR-2577), Sen. Tom Carper, D-Del., is the author of the Data Security Act (S-1434) and Rep. Cliff Stearns, R-Fla., is the author of the Consumer Privacy Protection Act (HR-1528). But Brookman said he’s “pretty sure” Facebook already has processes in place “so I don’t think that would be terribly burdensome on them.”

Facebook’s international business could further complicate the company’s regulatory entanglements as foreign data, privacy, and other laws “are often more restrictive than those in the United States,” the filing said. Facebook drew specific attention to the European Union’s sweeping reform of its 1995 Data Protection Directive which it said “may include more stringent operational requirements for data processors and significant penalties for non-compliance.” If the revamped data protection rules are approved by the European Parliament and the Council of Ministers, any company doing business in Europe will be required to acquire explicit consent to use personal data and a “right to be forgotten” policy when consumers withdraw personal information from social networks (WID Jan 26 p1).

"Operating as a large multi-national corporation [Facebook] will be subject to the legislative prerogatives of numerous nations,” Stephens said. “The direction that most nations are moving towards are greater privacy protections for individuals and that could have an impact on Facebook’s revenue stream in the future.”