Facebook settlement was barely worth waiting for

Tom from Myspace.

We mean Tom Anderson, the creator of Myspace, a one-time social media king, dethroned by Mark Zuckerberg and Facebook. He can rest assured that his creation never prospered enough to find itself in the kind of swords-unsheathed government battle Zuck’s enterprise is in the middle of.

Heck, who are we kidding. We suspect Zuckerberg will sleep like a baby despite Wednesday’s record-breaking Federal Trade Commission fine and new compliance requirements.

Had the government really wanted to cause Zuckerberg pain, a couch-change penalty of $5 billion (a partial hit to one mere quarterly earnings report) was never going to do it. We’ll tick through the intended pain points to illustrate why they are a mere headache, not the knockout punch that was required.

Is the fine large enough?

Defenders of the monetary penalty place it in the company of past FTC fines, and, in doing so, attempt to illustrate the egregious violations of a 2012 data privacy consent order deserved such a hefty revenue grab. Those past fines:

The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. It’s also one of the largest penalties ever assessed by the U.S. government for any violation.

In truth, the high number is not much of a stick. The $5 billion is approximately 9 percent of Facebook’s 2018 revenue, and approximately 23 percent of its 2018 profit. Still, it’s a drop in the bucket when you consider the company had $40.65 billion in revenue.

Also, just like it did with out-of-control leadership at big banks during the Financial Crisis, the government showed little appetite for penalizing insiders. In this case, Zuckerberg avoided direct monetary fines.

Democrat Rebecca Kelly Slaughter, one of the dissenting votes in the 3-2 decision by the FTC, summed it up well on Twitter: “The $5 billion is not enough given the scope of the offenses and Facebook’s financial position. The harm that flowed from FB’s misconduct included the Cambridge Analytica efforts to manipulate voters, that’s just one example. This is about the institutions of our democracy. But money alone would never be enough. Conduct terms are key. I don’t think the terms in this order go far enough to change Facebook or ensure accountability. There are no substantive limitations on FB’s data collection, use, and sharing. And there is no public transparency. Of course, we can’t just shout about what more we want in a settlement; we have to be realistic about the agency’s options. If Facebook wouldn’t agree to more meaningful terms, we should have taken them to court.”

Don’t judge a Facebook by its cover story

Slaughter’s comments underscore a concern that has amplified since the Financial Crisis. Regulators don’t police firms, they compromise with them. Negotiations are based on finding the right mix of fines and compliance demands to appease Congress and the public, but not drive companies to flee the bargaining table and take their chances with litigation. Regulators would do well to ignore this threat of cost, delay, and uncertainty to get the settlement they really want. If there is a flaw in underlying precedent or law they can blame a loss on, it could be a great impetus to force a legislative redress.

Those who voted in favor of the settlement see otherwise and claim “the settlement far exceeds what could be achieved in litigation and gives consumers meaningful protections now.”

Baby swimming in the bathwater

What we did like seeing was the continued use of corporate settlements to establish and reinforce compliance expectations. In Facebook’s case, it was “five overlapping channels of compliance.”

It must establish a new Board of Directors committee focused solely on privacy-related risks and settlement compliance. Members of the privacy committee must be independent directors with relevant privacy and corporate compliance expertise and will be appointed by a nominating committee comprised of independent directors. Members may not be removed for reasons relating to their good-faith actions as privacy committee members, absent an affirmative vote by two-thirds of the voting shares (more than the votes Zuckerberg controls).

The privacy committee must also discuss privacy risks with the independent third-party assessor, both with and without management present. And the Designated Compliance Officers (DCOs) independently must submit to the Commission quarterly certifications that the company is in compliance with the privacy program mandated by the Order, as well as an annual certification that the company is in overall compliance with the Order.

The Order requires accountability at the individual level. False certifications would subject Zuckerberg and the DCOs to personal liability, including civil and criminal penalties.

The Order also strengthens external oversight by giving new tools to an independent third-party assessor and to the FTC to monitor Facebook going forward. Both the assessor and the FTC will have access to Facebook’s documentation of its privacy decisions, including quarterly privacy review reports and the incident reports required by the Order. The assessor must also provide a biennial assessment to the independent privacy committee.

At least quarterly, the privacy committee must meet with the assessor, without Facebook management present, to discuss the assessor’s ongoing assessment of Facebook’s privacy program and any privacy risks the assessor has identified. The privacy committee must review with Facebook management any proposed remediation plans to address issues raised by the assessor.

This is a good blueprint for a compliance program, one that Facebook should have had from the get-go. Our only complaint is whether all would be better served with an embedded corporate monitor of the sort that have been forced upon big banks. We worry that Zuckerberg and his team are too clever at otherwise creating on-the-fly explanations for post-mortem reviews and reports.