Forcing Facebook to Behave: Why Consent Decrees Are Not Enough

December 9, 2018, 9:24 PM UTC
Protestors from the pressure group Avaaz demonstrate against Facebook in London on April 26, 2018.
Daniel Leal-Olivas—AFP/Getty Images

Why does Facebook show such disregard for user privacy? The best answer may be “because it can.” For years, the social network has engaged in shady tricks to wring every last dollar from our data, and regulators haven’t done a thing.

This could soon change. I spoke this week with Georgetown University law professor David Vladeck who predicted the FTC will wallop Facebook with a fine “in the ten figures” over its recent privacy shenanigans—such as bartering user data with third party firms like Cambridge Analytica and, as new reports reveal, creating whitelist access for the likes of Airbnb and Lyft.

Vladeck is in position to know. As the former director of the FTC’s consumer protection bureau, he imposed a consent decree on Facebook for playing fast and loose with consumer data way back in 2009. The arrangement obliged the company to pledge it would get consent to share users’ information with third parties, and that each single violation could trigger a fine worth tens of thousands of dollars.

Facebook CEO Mark Zuckerberg has publicly stated he does not believe the company breached the decree, but Vladeck and other former FTC officials don’t see it that way. If the latter are right, the outcome could be a fine of $1 billion or more.

The question is whether such a fine will prompt Facebook and other tech companies to change their ways. It’s hard to believe that it will. Facebook executives appear to have calculated long ago that a fine, even one for $1 billion, was the price of rapid growth and one that it could well afford. The calculation has paid off: Not only has Facebook turned user data into an advertising gold mine, it has also used it to squelch competitors and maintain a monopoly. Why should it have acted any differently?

For companies to take privacy seriously, the U.S. requires a different legal regime. Right now, regulators must rely on the consent decree system, which gives companies a pass on their first major privacy violation, and then lets them quibble about subsequent violations.

Vladeck points out consent decrees are a relatively new policy tool to oversee privacy, and the FTC is still navigating how to use them. This may be the case but the law that underlies them—known as Section 5, which forbids “unfair or deceptive acts”— still feels like a clumsy tool to police data regulation.

Other countries take a more straightforward approach: They have privacy laws and go after firms that break them. Fortunately, something may be stirring in Congress. In the wake of recent data breaches, companies and lawmakers are talking seriously about a national privacy law. Maybe this will finally change how the likes of Facebook look at our data in the first place.

A version of this article appeared in the December 7 edition of Data Sheet, Fortune’s daily tech newsletter.

Subscribe to Well Adjusted, our newsletter full of simple strategies to work smarter and live better, from the Fortune Well team. Sign up today.

Read More

Great ResignationClimate ChangeLeadershipInflationUkraine Invasion