“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis & Gilbert.
If the Federal Trade Commission (FTC) were a private business, it would be having a very good quarter.
The FTC recently agreed to a $700 million settlement with Equifax over its massive 2017 data security breach, which exposed the personal information of nearly 150 million people. And now the agency has blown the doors off of its previous record fine by finalizing a $5 billion settlement with Facebook for violating its existing 2011 Consent Order for Facebook’s handling of personal information. Prior to this, the largest fine in the agency’s 100-plus-year history had been a $22.5 million dollar settlement with Google in 2012.
To be fair, a decent portion of the Equifax $700 million fine is to be used to compensate consumers who suffered from the breach, such as providing credit monitoring services or even cash payments.
So how much do consumers get from the Facebook settlement? Zero.
So will the FTC be remodeling its offices, planning an offsite meeting in Turks and Caicos or handing out huge year-end bonuses? Not quite. FTC fines – other than those earmarked for consumer redress – generally go to the United States Treasury’s general fund. The FTC and its approximately $300 million budget could certainly use $5 billion, but it too will get zero (just like you and me).
That said, it’s legitimate to ask if these new fines embolden the FTC to be more aggressive with privacy and data security regulatory actions and oversight of the digital media industry in general. The answer may be yes, but there’s another factor that may do much more to motivate the FTC than these fines.
In the wake of the California Consumer Privacy Act and other state laws that address privacy, there have been more calls to enact privacy legislation on the federal level so that the industry has one consistent standard instead of an inconsistent patchwork of state laws that make compliance a challenge. A few bills have already been introduced, including the Algorithmic Accountability Act of 2019 and the Information Transparency & Personal Data Control Act, among others. Many of these bills charge the FTC with issuing new regulations for privacy and data security and/or empowering the agency with new authority. It is these new laws, if enacted, that will really make the FTC step up its enforcement and oversight activities. Some in Congress have even called for the creation of a new standalone federal privacy agency.
So while the industry should continue to pay attention to these escalating fines, it should pay more attention to the status of these pending federal privacy laws, which could significantly empower the FTC in a manner never seen before in the United States.