WASHINGTON – July 24, 2019 –Today, the Federal Trade Commission (FTC) announced an unprecedented settlement requiring Facebook to pay $5 billion in civil penalties, create new accountability and compliance mechanisms, and imposing additional injunctive relief. The settlement stems from violations of a 2012 order.
The $5 billion penalty is more than 15 times larger than the previous record penalty levied by the FTC for a privacy violation. It is one of the largest penalties issued by a US government agency in any context. The fine is more than twice the financial penalty that could be imposed by an EU regulator under the General Data Protection Regulation.
But today’s record settlement masks a major gap in the FTC’s enforcement authority – the Commission doesn’t typically have fining authority for privacy violations, unless it is enforcing an existing order (as with Facebook) or invoking specific statutes (such as the Children’s Online Privacy Protection Act).
In fact, in many privacy cases the FTC has trouble even getting refunds for consumers. That’s because many companies provide online products and services for free – so it’s difficult to prove a financial loss. In those privacy cases, the FTC should have fining authority; it would create effective, proportionate deterrence and ensure that bad actors are held accountable – even when they don’t charge consumers a fee for services.
The time has come to give the FTC civil penalty authority. Preferably, this would be accomplished by Congress as part of a comprehensive new national privacy law that also gives consumers meaningful control over how their information is used.
The FTC also needs more resources so it can conduct more privacy investigations faster, while maintaining a high level of technical and legal competence. Real oversight of the Facebook settlement will require FTC staff resources and time to be effective. That funding could be provided by Congress this year through the appropriations process.
If Congress wants stronger incentives for compliance and more responsive investigations, it needs to give the FTC civil penalty authority for privacy violations and more tech and investigative resources now. There is no reason to wait.
Future of Privacy Forum
About the Future of Privacy Forum
Future of Privacy Forum is a global non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.