In the span of just a few days, the federal government announced settlements relating to two massive privacy breaches that occurred over the last few years, fining Facebook $5 billion for mishandling consumer data, and Equifax $575 million for actions related to a data breach that exposed the personal information of 147 million consumers.
But the fines take very different forms. Almost half of the Equifax settlement is going to consumers harmed by the breach, who are eligible for at least $125; some will get as much as $20,000 for time and money spent protecting their identity in the wake of the violation. The entirety of the Facebook fine, by contrast, goes to the U.S. Department of the Treasury.
Why are consumers getting money in the Equifax settlement and not in the Facebook deal? It has to do with federal law, and who lost what in each situation, experts say.
In the Equifax case, consumers allegedly lost time and money by trying to protect their personal information in the wake of the data breach. Under the Fair Credit Reporting Act, which regulates Equifax and other credit reporting agencies, the federal government can require that those consumers be compensated.
But in the Facebook case, it is difficult for the government to use current law to prove any individuals suffered a big loss. Facebook allegedly allowed the political consulting firm Cambridge Analytica to access users’ personal data, and allowed consumer phone numbers initially acquired for security reasons to be used for advertising purposes. But from a legal perspective, “the people affected by Facebook didn’t lose anything,” said Justin Brookman, the director of Consumer Privacy and Technology Policy at Consumer Reports. They might have seen some targeted ads that violated their privacy, but putting a price tag on that is tricky.
Instead, Facebook was fined because it was found to have violated a 2012 deal with the Federal Trade Commission (FTC), which was meant to prevent Facebook from misrepresenting how it used consumers’ personal information. The FTC fine, approved in a 3-2 vote by its commissioners, also found that Facebook violated Section 5 of the Federal Trade Commission Act, which allows the government to enforce against unfair and deceptive trade and business practices. Rather than compensating consumers who were harmed, though, the settlement requires Facebook to become more transparent about how it uses consumer data going forward. (The $5 billion fine is the world’s biggest-ever privacy fine so far.)
The Facebook settlement isn’t the end of the government’s potential actions against the company. Going forward, the Department of Justice will be able to take legal action against Facebook if the company violates the most recent settlement. Individual states can also bring their own lawsuits against Facebook by alleging it violated state laws. Consumers can also potentially file private litigation alleging Facebook engaged in deceptive practices.
Some advocates say the different remedies for Facebook and Equifax underscore the need for more robust federal laws governing what companies can and can’t do with consumer data. Though California passed a sweeping privacy law that goes into effect next year, Congress has not been able to agree on how to proceed with a federal law regulating consumer data use. “We definitely need privacy laws in this country,” Brookman said. “Most countries around the world have privacy laws requiring transparency and choices around access to data.”
The tricky part is what that regulation would look like, and who would gain from it. Some leaders, including current California governor Gavin Newsom, suggest that tech companies should pay a “data dividend” and compensate consumers for the use of their data. But groups like Consumer Reports argue that rather than encouraging data collection, the government should stop that collection in the first place. California’s law, for example, allows consumers to delete the personal information that businesses have collected about them.
Regulation can’t just focus on tech companies, says Pam Dixon, the executive director of the World Privacy Forum, a research and advocacy group. Banks and other companies also have access to consumer data; many privacy problems stem from retail payments. And regulating technology doesn’t work, she argues, because technology changes so quickly — a law governing how, say, Facebook uses data might be as useless in a few years as one that regulated MySpace a few years ago. Instead, Dixon advocates for setting standards for privacy, but says that federal law-setting has lagged. Senator Mark Warner introduced a bill in April that would regulate the methods used by some big websites to convince users to hand over their data, but it has not made much headway. “Congress has hit a road block here,” Dixon said.
That’s why some scholars say that regulators should use existing laws to hold companies more accountable for privacy violations. Antitrust scholar Dina Srinivasan says that antitrust law could be used to rein in a company’s data practices while providing consumer compensation, for example. A German competition authority used antitrust principles to rule that Facebook could not gather user data when people are using independently owned apps, for instance. History suggests that companies are more likely to violate users privacy once their competition has disappeared, Srinivasan said. “The actual mechanism of competition can work to restrict a company’s ability to violate user privacy,” she said.
There are signs the government is already moving in that direction. Earlier this week, the Justice Department announced it was launching an antitrust review of major online platforms, including Google, Amazon, and Facebook. “Without the discipline of meaningful market-based competition, digital platforms may act in ways that are not responsive to consumer demands,” said Assistant Attorney General Makan Delrahim in a statement. The announcement, however, made no specific mention of data privacy.