By nearly any measure, $5 billion is a lot of money.
That is unless the measure is Facebook’s staggering $55.8 billion in revenue for 2018.
After months of speculation, the FTC announced in early July a $5 billion fine against Facebook resulting from the Cambridge Analytica scandal. The fine is by far the largest the FTC has ever levied against a tech company, absolutely trouncing its 2012 $22.5 million fine against Google.
Two weeks later, the FTC announced another major fine, this time against Equifax as a result of a massive 2017 data breach. Along with the announcement, the FTC publicized a $125 payment for victims.
But there’s more to the Equifax story and one big reason Facebook is eager to pay the enormous FTC fine.
The FTC hands Facebook a record $5 billion fine—and immunity
Confirmation of the long-rumored $5 billion fine hit the news July 12. The same day, Facebook’s stock rose 1.8%, likely because the fine wasn’t more severe than anticipated. Facebook is also reported to have set aside $3-5 billion specifically for the fine months ago.
Furthermore, Facebook reported just over $15 billion in revenue for the first quarter of 2019 so it’s safe to say that the $5 billion FTC fine amounts to about one month of Facebook’s revenue.
Suppose you make $50,000 per year; that makes a month’s pay about $4,100. Losing that amount would sting pretty hard for most people. However, Facebook has about eight months of revenue in savings (some $40 billion), so they’ll be just fine and so would you if you had eight months pay—or $32,000—in the bank.
Dissenting FTC commissioner Rohit Chopra criticized the fine, saying:
“The settlement’s $5 billion penalty makes for a good headline, but the terms and conditions, including blanket immunity for Facebook executives and no real restraints on Facebook’s business model, do not fix the core problems that led to these violations.”
Yes, the FTC is giving Facebook and its executives immunity for all privacy violations related to the settlement. Remarkably, it also provides immunity for “any and all” privacy violations prior to June 12, 2019. You can read the specific language here.
The fine’s perceived inadequacy, along with the blanket immunity provision, prompted the Electronic Privacy Information Center (EPIC) to file suit against the FTC. EPIC claims that more than 26,000 consumer complaints will be wiped off the books as a result of the settlement.
In 2012, the FTC had a previous confrontation with Facebook that also resulted in a settlement. Back then, it was about the social media giant sharing user data that it had promised would be kept private.
Maybe this time things will be different.
FTC fines Equifax nearly $700 million; victims could receive as little as 21 cents
In 2017, Equifax profoundly failed the public’s trust by exposing the sensitive data of half the adults in the United States (147 million people). The breach was entirely preventable and wouldn’t have happened if basic security measures had been employed such as patching a software vulnerability the company had known about for months.
On July 22 of this year, the FTC announced a nearly $700 million fine against the credit bureau. A few days later, the FTC announced a website for the administration of the breach settlement.
— FTC (@FTC) July 25, 2019
The website lets you check whether you were affected by the breach—which you most likely were. If so, the FTC’s announcement says you qualify for “free credit monitoring OR $125 if you decide not to enroll.”
The announcement sent a massive number of data-breached Americans scrambling to claim their piece of the $700 million pie, including U.S. Rep. Alexandria Ocasio-Cortez who tweeted:
Everyone: go get your check from Equifax!
$125 is a nice chunk of change.
Get that money and pay off a bill, sock it away, take a day off, treat yourself, whatever you’d like – but cash 👏🏿 that 👏🏽 check! 👏🏻
— Alexandria Ocasio-Cortez (@AOC) July 26, 2019
Unfortunately, it turns out the small print regarding victim compensation reads “No more than Thirty-One Million Dollars ($31,000,000) shall be paid.” This means the payout would be $125 only if a maximum 248,000 claims were filed. Any number above the maximum and the dollar amount decreases. For example, if half a million people filed a claim, the payout would drop to $62.
If all 147 million victims of the Equifax breach were to file a claim, checks would drop to about 21 cents a piece.
As the public became wise to the settlement’s shrinking reality, regulators began advising victims to take the alternate free credit monitoring option. Kind of like the service that Equifax sells for $20 a month.
In response, Senator Elizabeth Warren flatly accused the FTC of misleading the public by promoting the $125 payment without clarifying its limitations.
Are FTC regulators to blame or are their hands tied?
Part of the problem is that the FTC is the de facto data privacy authority in the United States. There is no federal data privacy regulation and suing tech companies over internet privacy has very little precedent and thus comes with a lot of risk for plaintiffs. Furthermore, litigation is time-consuming and it could take years to reach a verdict. Meanwhile, data privacy issues are affecting everything from our personal devices to our elections.
On July 24, the FTC defended the Facebook settlement, stating:
“The $5 billion penalty serves as an important deterrent to future order violations, by Facebook and others. Five billion dollars is approximately 9% of Facebook’s 2018 revenue, and approximately 23% of its 2018 profit. For purposes of comparison, the EU’s General Data Protection Regulation (GDPR) is touted as the high-water mark for comprehensive privacy 2 legislation, and the penalty the Commission has negotiated is over 20 times greater than the largest GDPR fine to date.”
This makes an interesting point and serves as a perfect segue to compare the recent FTC fines with recent GDPR fines, which we cover here.