Washington D.C. — Today’s agreement between the Federal Trade Commission and Facebook fails to protect our privacy. While the $5 billion penalty may sound impressive, neither that nor the internal controls that the company will implement under the order will change the fundamental business practices of the company. These practices are based on the massive surveillance of individuals and monetizing information gleaned from their behavior. In spite of the agreement, the company remains free to use data about people in any way it sees fit.
CFA strongly applauds the dissenting positions taken by FTC Commissioners Rohit Chopra and Rebecca Kelly Slaughter who have identified the serious shortcomings in the agreement.
Allowing Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it documents its decisions, is akin to robbing a bank and leaving a note that you did it. The failure to require structural change to the company’s data practices is a failure to protect American’s privacy. Furthermore, the fact that the agreement ignores the consolidation of data from Facebook and its affiliated companies, WhatsApp and Instagram, is incomprehensible.
The FTC should have gone even further and forced the company to divest those assets since the integration of these platforms helps fuels the massive commercial surveillance that Facebook conducts.
Particularly disturbing is the broad shield that the order provides regarding conduct not addressed in the settlement. The parties agreed that the order will resolve not only issues with Facebook’s violations of its original settlement with the FTC but all consumer-protection claims known by the FTC prior to June 12, 2019, that the company violated Section 5 of the FTC Act. There is no reason for this except to give Facebook a complete pass on any other problems with Facebook that the FTC was aware of before that date.
The FTC’s timid action in this case, and its institutional constraints, including its inability to obtain civil penalties in privacy cases unless a company has violated a previous order and its lack of any rulemaking authority on privacy, demonstrate why we need strong legal protection for people’s personal information in the United States and an independent Data Protection Agency that has the powers and resources to truly protect our privacy.