The $5 billion Facebook Inc. has reserved to cover a possible settlement with the Federal Trade Commission may cover only part of the costs it potentially faces from privacy probes and litigation in the U.S. and abroad.
The social media giant is embroiled in multiple European Union privacy investigations into whether it is complying with the bloc’s General Data Protection Regulation. It also faces two state-level consumer protection lawsuits, a possible Canadian privacy office court action, a probe by several U.S. state attorneys general and consumer class action litigation, in addition to the FTC’s investigation.
“Facebook isn’t just facing a suit or two that it can resolve quickly or quietly. This is the federal government, multiple states, international enforcement bodies, and potentially millions of consumers,” Bloomberg Intelligence analyst Matthew Schettenhelm said. “When a company is fighting a battle that could cost billions on multiple fronts, solutions aren’t easy and don’t come cheap.”
UK-based Cambridge Analytica, which had ties to Donald Trump’s presidential campaign, obtained the data of millions of Facebook users without their consent. Privacy regulators around the globe are looking into Facebook’s role in allowing the now-shuttered consultancy firm to access that user data and whether Facebook had knowledge the application was siphoning user information outside of company data policies.
A possible FTC settlement “will be the new normal for Facebook as it faces state AG investigations and scrutiny in Canada and the EU,” Dan Caprio, co-founder of The Providence Group and a former FTC chief of staff, said in an email.
Facebook didn’t immediately comment. The company believes that it will have to pay between $3 billion and $5 billion to wrap up the FTC probe, although the agency isn’t commenting publicly about the size of a potential settlement.
But the company potentially faces billions of dollars more in fines and court judgments for their role in the Cambridge Analytica scandal, not adequately protecting user passwords, and harvesting users’ email address books without permission, among other alleged privacy failures.
The FTC’s scrutiny of Facebook likely won’t end with its Cambridge Analytica probe, former agency officials said. The commission, which doesn’t normally announce its investigations, may decide to probe other Facebook privacy missteps.
The possible $5 billion settlement will end a “a batch of claims, but it will leave the FTC to pursue other possible privacy violations,” Justin Brookman, director of privacy and tech policy at Consumer Reports, said in an April 26 interview. “Facebook is public enemy number 1 on privacy issues,” and the agency is likely not done looking into the company, he said.
Facebook’s future privacy enforcement battles are also a sign of things to come for other tech giants facing multiple investigations.
This is likely to be “first meaningful FTC Techlash settlement and the amount of the penalty raises the stakes for other industry players,” Caprio said.
Cambridge Analytica Lingers
Many of the privacy investigations focus on Facebook’s role in the Cambridge Analytica saga. Facebook was hit with a 500,000 pound ($644,550) fine from the U.K. privacy office to wrap up that regulator’s probe.
Besides the FTC, the company is in advanced talks with the group of U.S. states to end that action, which could reach into millions of dollars if past privacy actions serve as a guide.
For example, Uber paid $148 million to 50 states and the District of Columbia in 2018 to settle claims related to a large-scale data breach in 2016 that exposed the personal information of more than 25 million of its U.S. users.
Washington D.C. attorney general Karl Racine (D) and Cook County, Ill. prosecutor Kim Foxx (D) have brought separate consumer protection suits against Facebook for its role in the Cambridge Analytica scandal. Both are seeking financial penalties but also want to expose how Facebook collects and shares user data.
Ireland, Facebook’s lead EU privacy regulator, has launched several investigations into other non-Cambridge Analytica privacy issues under the GDPR. Each of those cases could result in billions in fines because the regulation allows data protection authorities to fine tech companies up to four percent of annual revenue.
Regulators are watching to see if the Facebook’s FTC settlement “is deemed weak and insufficient” for the international data protection community, Ashkan Soltani, an independent tech researcher who was a chief technologist at the FTC, said. Enforcement authorities in Europe, Asia, and Canada won’t hold back if they see the U.S. is unable to hold tech companies accountable, Soltani said.
Canadian privacy regulators said April 25 that Facebook allegedly violated federal and local privacy laws and didn’t take responsibility for protecting personal data in its involvement with Cambridge Analytica. The federal privacy commissioner said his office intends to seek an order in federal court to force Facebook to fix its privacy practices, because it doesn’t have the power to impose an order or financial penalties.
To read more from Privacy & Data Security Law News pleaseOR Request Trial
(Updated with additional reporting)