Although the Federal Trade Commission said its $5 billion fine against Facebook Inc. over privacy violations is unprecedentedly high both compared to past agency metrics and worldwide actions, it falls short of a record when measuring the fine’s proportion to corporate revenue.
The FTC’s new penalty, announced Wednesday, makes up 9 percent of Facebook’s 2018 annual revenue, which was $55.8 billion. By that metric, the fine is second to the one imposed on Equifax Inc. earlier this week, which was related to its massive data breach in 2017.
Equifax agreed to pay a minimum of $575 million, and up to $700 million, to settle a group of enforcement actions from all 50 states, the FTC, and the Consumer Financial Protection Bureau in a breach that impacted about 150 million people and exposed sensitive information such as Social Security numbers and credit card data. The maximum fine represents 20.5 percent of Equifax’s 2018 revenue.
When determining how much to fine a company for privacy violations, the FTC considers a number of details, including the ability to pay, degree of culpability and the ability to deter future conduct. Under its current powers, the agency is only able to seek civil penalties against a company for privacy and cybersecurity violations after the first violation.
Such was the case in 2018 for Uber Technologies Inc.: After disclosing that hackers gained access to the personal information of about 600,000 drivers nationwide, the ride-hailing company agreed to implement a comprehensive privacy program and submit an annual third-party assessment of its privacy practices to the commission for 20 years -- but wasn’t subjected to a fine from the agency because it was its first violation. Instead, in September 2018, attorneys general from all 50 states and the District of Columbia settled their class-action suit against the company for $148 million.
In Europe, where the General Data Protection Regulation went into effect in May 2018, fines for privacy violations are determined by several factors, such as how many people were affected and whether it was intentional or negligent, and can result in a fine between 10 million euros ($11.1 million), or 2 percent of a company’s worldwide annual revenue, and 20 million euros, or 4 percent of such revenue -- whichever is higher.
In the case of Marriott International Inc., a data breach exposing 339 million guest records -- including about 30 million in Europe -- could result in a possible $124 million fine, or 2.5 percent of the company’s global revenue.
Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals in New Hampshire, a nonpartisan member association for privacy workers, said that while the fine is record-breaking and nothing to ignore, there’s no one formula that could be “readily deployed” by regulators in privacy violation cases.
“There’s a broad consensus that the FTC should have a much broader legal mandate to operate in this space,” Tene said. “They’re operating on a phrase that dates back to 1914,” referring to the Federal Trade Commission Act, which limits the agency’s purview to actions that violate antitrust laws, harm market competition, cause consumer harm and mislead consumers -- but does not lay out specifically how the agency should account for today’s privacy issues.
“There’s general agreement on both sides that the laws should be far more detailed and elaborate,” he said.
Will Rinehart, director of technology and innovation policy at the American Action Forum, which generally supports regulation on tech companies, said there still seem to be broad questions as to how the FTC came to the $5 billion figure.
“It’s really unclear to any company what the FTC’s standards for privacy are currently,” he said. “Policymakers should really be focused on” making it clearer.
Several Democratic lawmakers voiced concerns following the official announcement of the Facebook settlement that the $5 billion fine is insufficient. House Energy and Commerce Chairman Frank Pallone (D-N.J.) said in a statement that “monetary damages are not enough” and called for “tough oversight.”
Pallone’s committee is in the middle of discussions to craft comprehensive data privacy legislation, which could expand the agency’s authorities and establish new guidelines for how much a company could be fined for data breaches and other privacy violations.
Sen. Ed Markey (D-Mass.), one of the authors of the Children's Online Privacy Protection Act and a member of the Senate Commerce Committee overseeing privacy legislation, said in a statement that “the FTC not only fell short, it fell on its face” in the settlement. “The new rules placed on Facebook in this consent decree fail to systematically change Facebook’s internal infrastructure and put a stop to its privacy malpractice once and for all,” Markey said.
Meanwhile, Senate Commerce Chairman Roger Wicker (R-Miss.) said in a statement that the deal “further stresses the need for a strong federal data privacy law.”
The three lawmakers’ offices did not respond to requests for comment on what would be considered an adequate fine.
Joanna Piacenza and Morgan Halvorsen contributed to this report.