Senate Consumer Protection Democrats Say Facebook Violated 2011 FTC Consent Decree
Senate Consumer Protection Subcommittee ranking member Richard Blumenthal, Conn., and other subcommittee Democrats used a Tuesday hearing on privacy implications of the Facebook-Cambridge Analytica breach to expand what they perceive to be Facebook's violations of its 2011 consent decree with the FTC to include other recently-disclosed actions. Former FTC Chief Technologist Ashkan Soltani confirmed the Democrats' view, saying he believed Facebook violated the agreement. Blumenthal, Senate Consumer Protection Chairman Jerry Moran, R-Kan., and others drilled down on potential legislative solutions to address Facebook-Cambridge Analytica's privacy implications.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“No other single company has done more to erode consumer privacy than Facebook,” Soltani testified. The facts around the Cambridge Analytica breach are “quite similar” to those at issue in the 2011 consent decree, which ended the FTC's previous examination of whether the social media company made deceptive claims about user privacy (see 1111300105), Soltani said. The commission has been investigating Facebook-Cambridge Analytica as a potential consent decree violation since shortly after news of the data breach first broke in March (see 1803200047 and 1803260039). Facebook and the agency didn't comment.
Facebook's recently revealed data-sharing partnerships with at least 60 device makers likely also violated the FTC agreement because the data provided in those partnerships mean that privacy settings on Facebook users' accounts were likely overridden, Soltani said. The partnerships, including with Apple, Amazon, Microsoft and Samsung, have drawn criticism from lawmakers in both parties, given testimony Facebook CEO Mark Zuckerberg gave earlier this year (see 1804090026, 1804100054, 1804110065, 1806040055 and 1806080045).
Blumenthal led Senate Consumer Protection Democrats in highlighting Facebook's potential violations of the FTC consent decree. There is little doubt that Facebook violated the agreement and “I will be strongly urging the FTC to go beyond the consent decree into further investigations,” Blumenthal said. Sen. Ed Markey, D-Mass., raised concerns about whether the punishment the FTC would be able to dole out after its investigation would fit the violation. “For this be meaningful,” the fine “has to be substantial,” Markey said. Otherwise, it would be akin to “paying a parking ticket.” There is a “strong likelihood” the FTC will impose a fine against Facebook over Cambridge Analytica, though even the larger fines the agency has issued, such as its 2015 $100 million penalty against LifeLock (see 1512170026), will do very little” given Facebook is a multi-billion-dollar company, Soltani said.
Blumenthal said he plans to introduce legislation outlining a “privacy bill of rights” for U.S. consumers, based in part on the EU's controversial general data protection regulation, in response to Facebook-Cambridge Analytica and the other recent incidents. “Americans deserve no less privacy” than do users in Europe, he said. Blumenthal and Markey also billed their Customer Online Notification for Stopping Edge-provider Network Transgressions (Consent) Act (S-2639), filed the week Zuckerberg testified, as a “privacy bill of rights” (see 1804100054). Blumenthal also previously introduced the Managing Your Data Against Telecom Abuses Act (My Data) Act (S-964).
Blumenthal and Moran noted U.S. stakeholder concerns about replicating GDPR. Blumenthal said he's not advocating for a partially GDPR-based approach simply “because it's there” as an option, and hoping “we can improve upon it” through his coming legislation. NewCo CEO John Battelle cautioned Congress against adopting GDPR-centric legislation, saying applying the regulation in the U.S. “may only strengthen [Facebook's] grip on its market, while severely limiting entrepreneurial innovation.” Congress should instead consider an “enlightened regulatory framework that encourages data sharing, high standards of governance, and maximum value creation, with the individual at the center of that value exchange,” Battelle said.
Congress will need to adopt some sort of legislation in response to Facebook-Cambridge Analytica simply because social media companies and others in the tech sector are “likely to strongly resist making changes themselves for fear that others will not follow suit and they will be at a competitive disadvantage,” said ex-Cambridge Analytica contractor Aleksandr Kogan. “Companies whose main revenue comes from ads are typically selling advertisers on the idea that the companies can find the right person, in the right place, at the right time, and serve them the right ad. This may act as a barrier to change.”
Soltani urged a move away from the notice-and-choice framework that underlies FTC enforcement authority, since “in practice, this does nothing to protect users.” It is “well known that users neither read nor understand most company’s privacy practices,” he said. “Even if users did actually read the privacy notices, they have no way, short of boycotting a service, to object to privacy practices they find overly intrusive.” Facebook is now “the de-facto method by which users log in to third-party applications,” including dating apps and social lending sites, Soltani said.