The Federal Trade Commission’s $5 billion Facebook Inc. privacy settlement shows the GOP-controlled agency is ready to use its limited authority, especially to police companies with which it has already tangled over data privacy.
The agency has few direct privacy powers, but can investigate companies for unfair or deceptive trade practices, including data handling practices not disclosed in privacy policies. It entered into a consent decree with Facebook in 2012 to resolve earlier privacy missteps, giving it more power to regulate the social media giant.
Other companies that already have consent decrees with the commission “should look at this,” GOP agency chairman Joe Simons told reporters. “One of the problems we have is if you’re not under order, we can’t get civil penalties. But for the folks who are under order, this is what we’re looking at.”
The FTC also has privacy-related consent decrees with other companies, including Alphabet Inc.'s Google, Twitter Inc., and Yelp Inc. The agency can get civil penalties for companies that allegedly violate a consent order, but can only seek a settlement with first-time offenders in most situations.
Companies under FTC consent decrees should “take this as a reminder to double check their compliance program,” Stacey Brandenburg, who previously worked in the FTC’s division of privacy and identity protection, said.
The settlement “imposes a number of reporting requirements to the Commission, which ensure that the FTC and the Justice Department will have clear lines of sight at any given point into how effectively we’re meeting our responsibilities,” Facebook vice president and general counsel Colin Stretch wrote in a blog post.
The commission can only seek to impose fines when a company is under a consent order or using specific limited federal privacy laws. The agency is also limited in what data restrictions it can seek, former officials said.
“As a civil law enforcement agency, the FTC does not have unlimited authority to impose limitations on data collection and use,” Dan Caprio, co-founder of the Providence Group and a former commission chief of staff, said.
The FTC’s privacy enforcement power hinges on whether a company broke promises it made about how it handles customer data. Businesses that don’t promise specific privacy protections or data use limitations won’t be held liable for how they choose to use data, former commission officials said.
The commission wouldn’t have had the same ability to prod Facebook into the settlement if the company wasn’t already under a consent decree for violating its privacy promises, Ashkan Soltani, a former chief technologist at the FTC, said.
The agency has limited authority to seek fines under specific federal laws, including the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act. Congress would have to grant the agency more enforcement authorities to broadly police tech giants like Facebook or Google, former officials said.
Republicans and Democrats in Congress are working on privacy legislation that could increase the agency’s enforcement power.
The settlement “further stresses the need for a strong federal data privacy law,” Senate Commerce, Science and Transportation Committee chairman Roger Wicker (R-Miss.) said in a statement, adding, “without a robust, comprehensive federal privacy law covering data collectors and consumers, bad actors will be able to continue to abuse data in the online marketplace.”
Maria Cantwell (D-Wash.) the top Senate Commerce Democrat, said the settlement highlights the need for strong privacy legislation that gives the FTC tools, including “the authority to levy fines on the first offense.”
House Energy and Commerce Committee chairman Frank Pallone, Jr. (D-N.J.), also said the FTC needs more tools.
“Comprehensive privacy legislation is necessary to strengthen the FTC’s authorities and give it more enforcement tools and resources so that violating consumers’ privacy and breaking public trust isn’t just the cost of doing business,” Pallone said in a statement.