A record $5 billion privacy settlement is proposed by the Federal Trade Commission to conclude the investigation started in March 2018 after reports that Cambridge Analytica improperly accessed personal data of 270,000 Facebook users and some of their friends. This incident is said to have affected approximately 50 million Facebook users.
According to press reports, the proposed draft settlement regarding the Facebook investigation was approved by a vote 3-2 along party lines with the Republican supporting the proposed settlement. The draft now must be reviewed and approved by the Justice Department before it can be published. It is unclear how long the review will take. Thus, at this time it is not possible to comment on the detail of the settlement, which remain confidential.
This is the second time that Facebook is investigated by the Federal Trade Commission, and this is why the FTC is able to assess a fine. In most of its investigation, the FTC only has the power to fine a company being investigated if the law that it enforces itself provides for penalties. This is the case for COPPA violations, for example. Most actions of the FTC in the privacy or cybersecurity range rely on violations of Section 5 of the FTC Act, which does include fines.
When the FTC investigates a company about matters that constitute a violation of a previously existing consent decree, the FTC is allowed to fine the investigated company for violation of the pre-existing consent decree. In that case, the maximum fine authorized by law is a multiple of the number of violations. The applicable multiple is set by law each year; it currently approximately $40,000 per violation.
In the Facebook Cambridge Analytica situation, the FTC is investigating the use of the data by Cambridge Analytica, and is likely to have found that access to the Facebook users’ data by Cambridge Analytica was caused by a breach of the 2012 consent decree against Facebook. In that case, the FTC has the power to issue a fine for which the maximum amount set by law is approximately $40,000 per violation. The $5 billion number corresponds to 270,000 times $20,000; 270,000 being the number of Facebook users who installed the Cambridge Analytica product.
Facebook has been a frequent target of oversight or investigations by the Federal Trade Commission in the past with respect to its own activities or those of its affiliates What’s App or Instagram. For example, a document available on the website of the Federal Trade Commission show that there were frequent meetings and exchanges of correspondence between FTC and Facebook officials between 2011 and 2018.
Time will tell how the Facebook / Cambridge Analytica investigation will unravel. It is certain that the likely large size of the fine assessed by the FTC, as well as other fines seen in other countries – for example fines against Marriott and British Airways in the $250M range in the United Kingdom, and a $50 Million fine for Google in France – show a change of mood among enforcers, worldwide. Businesses, anywhere in the world, should pay closer attention to their data handling activities, the level of their compliance with applicable privacy and cybersecurity laws, as well as their own promised to customers in their privacy notices.