Potential penalties could top $1 trillion after 2011 consent decree established $40,000 fine for each violation
Most of Facebook Inc.’s punishment in the wake of the Cambridge Analytica scandal has come from investors, who wiped out nearly $75 billion in Facebook market value last week. Monday brought a reminder that government action could prove even more expensive, though, and sent shares tumbling again.
The Federal Trade Commission said Monday that it was looking into the company’s privacy practices and was prepared to use “all of its tools” to protect consumer privacy.
“Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers,” Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection said in a statement.
Pahl refers to the FTC’s history with Facebook FB, +0.42% , which settled charges in 2011 that alleged the company didn’t adequately protect user privacy. As part of the settlement, Facebook was required to undergo independent assessments of its privacy practices for 20 years and agree to potential penalties for future malfeasance.
The “consent” decree that was issued upon resolution of those charges could mean a penalty of $40,000 per subsequent violation, David Vladeck, a former director of the FTC’s Bureau of Consumer Protection, told the Washington Post last week. Vladeck, who was involved in the original decree, cited reports indicating that perhaps 50 million people were affected, which would amount to trillions of dollars in potential fines.
“That’s the maximum exposure, though it’s not clear to me that the agency would insist on that kind of a penalty,” he told the Washington Post.
A fine of that size is unprecedented, and recent examples have been much smaller in scale. For context, Google GOOGL, +2.68% GOOG, +3.10% was fined $22.5 million for violating privacy violations with Apple Inc.’s AAPL, +4.75% Safari browser back in 2012. Separately, European regulators fined Google parent company Alphabet Inc. €2.4 billion last summer for antitrust violations.
The consent decree includes two requirements that would likely apply in this case: It bars Facebook from misrepresenting the privacy of users’ information, and requires Facebook to prevent the access of data from anyone who has deleted his or her account, after 30 days. Facebook has pointed at misuse of the data by a researcher who received it and reportedly passed it along to Cambridge Analytica, and pointed out that the political consultant promised to delete the data when Facebook discovered its existence in 2015.
Facebook shares are down 2.4% in Monday trading, and they’re down 11% so far this year. The S&P 500 index SPX, +2.72% is down 1.9% in that time.
H/t reader kevin a.
* * *