Lessons from the FTC’s Facebook Saga

The FTC’s settlement with Facebook does little to change or restrict recidivist business practices.

I now want to discuss one of the best examples of failed repeat offender enforcement: the Federal Trade Commission’s (FTC) treatment of one of the largest and most well-known corporations in the world: Facebook. Facebook is a clear example of a politically powerful firm that routinely violated the terms of its government order with no real consequences.

I raise Facebook not only because it is such an egregious case but also because of the potential entry of very large firms entering financial services. It is clear that Big Tech wants to get into financial services, as we saw with Facebook’s failed attempt to create a new global currency. We have also seen Alibaba, Amazon, Google, and Tencent entering financial services, including with payments, money management, insurance, and lending. Given their size and customer reach, their entry has the potential to transform the industry. How these companies engage in other business practices is how we can expect them to engage in financial services, so it is worth going into some detail about the FTC case against one of the biggest players in this space.

In 2011, the FTC voted to issue an eight-count complaint against Facebook. According to the FTC, Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” The FTC simultaneously settled the matter for no money but required that Facebook cease its deceptive conduct and implement a program to ensure that privacy promises were kept. The settlement also gave the Commission broad access to company documents and personnel to ensure the company would not break the law again.

I arrived at the FTC as a commissioner in May of 2018. The agency was in deep decay and disarray after years of lax enforcement against large corporate actors, spanning multiple administrations. In some of the most widespread recent nationwide crises, from the 2008 financial disaster, to the opioid epidemic, to the student loan and for-profit college scandals, the FTC was essentially missing. On a bipartisan basis, the Commission heavily relied on a “no-money, no-fault” settlement strategy, where wrongdoers essentially faced no consequences, even in cases of egregious fraud.

In the case of Facebook, though, the company was already subject to an FTC order, and violations of an order were subject to significant consequences under existing law. But for many observers, the FTC simply seemed to be watching from the sidelines as its orders were being openly flouted.

A few months prior to my arrival at the Commission, it came to light that Facebook allowed Cambridge Analytica, a data analytics firm, to harvest information from more than 50 million individuals and use it for political purposes. This was just one of many controversies where Facebook broke its promises to employ reasonable safeguards to keep personal information private unless the user gave explicit affirmative consent.

As a matter of credibility for the U.S. government, I thought it was essential for the FTC to enforce its own order. For years and years though, commissioners set up agency staff to fail. commissioners deployed armies to small-scale scams, while depriving staff of the needed resources to police Facebook and other Big Tech firms. It was clear that these firms did not think the FTC was serious at all.

By the summer of 2019, the FTC prepared a six-count, fifty-page complaint that detailed a long list of privacy failures, including substantial order violations. That was clearly just scratching the surface of the company’s problems. But rather than investigating the matter fully or demanding significant changes to Facebook’s data harvesting practices, commissioners pursued what many people believed to be a publicity stunt.

I admit that the negotiated settlement accepted by a majority of the Commission made for a great headline. But the fine print in the settlement gave a lot for Facebook to celebrate. Facebook would pay a $5 billion fine but did not have to make any material changes to its business practices. Shockingly, Facebook was able to secure a highly unusual immunity clause for its executives, including for Mark Zuckerberg and Sheryl Sandberg. Zuckerberg was also able to retain absolute control over the corporation; though the settlement required a so-called independent committee on privacy whose members would need to be approved by a shareholder vote; and we know Zuckerberg essentially controls a supermajority of voting rights.

Three of the commissioners held a press conference, complete with custom-made graphics, about the “record-setting” nature of the settlement. In fairness, $5 billion does sound very significant. But Facebook had become one of the most valuable corporations in the world, approaching a trillion-dollar valuation. During the press conference, a senior career official largely admitted that Commissioners agreed to forego seeking testimony and documents from Zuckerberg in exchange for a higher fine. It was clear to many that the company paid off the FTC to minimize scrutiny of its top executives’ role in the order violations.

News of the settlement quickly set off alarm bells among data protection regulators around the world. A global consensus emerged that the settlement was a sham.

In my voting statement opposing the settlement, I described how Facebook flagrantly violated the FTC’s 2012 order and how the proposed settlement did little to change the business model or practices that led to the recidivism. The settlement imposed no meaningful changes to the company’s structure or financial incentives, which led to the violations. Nor did it include any restrictions on the company’s mass surveillance or advertising tactics. Instead, the order allowed Facebook to decide for itself how much information it could harvest from users and what it could do with that information, as long as it created a paper trail.

The proposed settlement let Facebook off the hook for unspecified violations and it gave Facebook a legal shield of unusual breadth, deviating from standard FTC practice. Indeed, when the settlement was announced against Facebook, its stock popped.

In my view, there were many lessons from the FTC’s Facebook saga:

• For very large firms, seemingly large fines, even ones that are “record-setting” may appear to be very punitive, but may have little effect;
• Corporate boards will go to great lengths to shield top executives from scrutiny, even though they are all bound by agency orders; and
• Committees, paperwork, compliance units, and other procedural requirements have much higher monitoring costs than bright-line structural remedies that meaningfully change business incentives.

We need to learn from these lessons to think about not only how to halt recidivism, but also how to treat small and big firms equally when it comes to enforcement actions.

Rohit Chopra is the director of the Consumer Financial Protection Bureau.

This essay is part of a three-part series based on remarks delivered at the Annual Distinguished Lecture on Regulation at the University of Pennsylvania Law School on March 28, 2022.

A fully formatted version of this entire three-part series is also available for download as a single, integrated PDF article.