Cambridge Analytica, the data company hired by the Trump campaign in 2016, has been accused of taking private information unbeknownst to users. The FTC will investigate whether or not Facebook violated a 2011 consent order with the FTC over its handling of user data and how the company notifies changes to its terms of service.
The FTC investigation is the most significant legal threat Facebook has faced, and could lead to a massive fine for the social network.
We spoke with professor Woodrow Hartzog, who specializes in privacy and data protection law, to explain the possible legal fallout from this investigation. Professor Hartzog is a professor of law and computer science and holds a joint appointment in the School of Law and College of Computer Science.
What is the basis of the FTC investigation into Facebook?
In 2011, Facebook signed a contract with the FTC called a consent order. It’s an agreement in which Facebook promises not to make any misrepresentations about privacy or data security, to give notice to users if it uses certain nonpublic information, and to create a comprehensive privacy program. This complicates the investigation because if you look at the text of the consent order, it’s actually not immediately clear whether Facebook’s actions violated any of the terms of the consent order.
Whether users’ privacy settings were visible is another question.
So then is this necessarily a legal case?
Privacy law in the United States is multifaceted. The FTC is the main enforcer of privacy within the U.S., but there are also common law torts that might be relevant. There are also breach-of-contract claims that might be relevant. There are disclosures that Facebook is required to make to other administrative agencies, like the Securities Exchange Commission (SEC).
“I’m not entirely sure that the result of that investigation is going to lead to a conclusion that Facebook violated the consent order.”
It’s possible that liability can be found on several grounds. There are state data-protection laws and security laws that might be implicated here. There are also several possible theories of liability here. One is that Facebook didn’t adequately follow up when it was notified of a possible breach of the terms of services agreed to by the developers when they get access to user data. In other words, it’s a failure of due diligence, not necessarily a deception case.
There are multiple possible liabilities in this situation, but looking at the facts as reported I’m not sure which, if any, are clear-cut cases of liability. And what this shows is that there is an entire category of problems involving user data for which there is not a clear remedy in U.S. law. This should put lawmakers on alert and nudge them to create new laws, like a national privacy law. Or maybe it involves broadening and strengthening the authority of the FTC. Right now, the FTC acts on relatively limited authority to police these practices as compared to Europe, where the General Data Protection Regulation (GDPR) has very broad powers of enforcement.
How realistic is it for Facebook to enforce its terms of service, given the scale of its users?
This is one of the harder questions. It may be true and very possible that enforcing its terms may require Facebook an incredible expenditure of resources and time. But when the law is deciding where the obligation should lie, it should lie on the company that created the system to facilitate it.
“The straightest path forward is to finally push through a federal data privacy law.”
It’s incumbent upon Facebook to figure out a way to adequately verify these third-party companies, and if there’s no way to adequately verify them then maybe we need to revisit the practice altogether. Otherwise, we’ve created a system with an imprimatur of legitimacy that Facebook ostensibly has these rules that you’re theoretically supposed to follow. But if there’s no follow up and no accountability, then it’s, in practice, creating a free pass for companies to violate the terms without any fear of meaningful enforcement.
This had wide-reaching implications for the 2016 election, but it seems that it has broader implications about personal data in general. How does the United States move forward in protecting privacy and user data?
The straightest path forward is to finally push through a federal data privacy law, which is an initiative that has been attempted several times. But for various reasons, there hasn’t been enough political will to push it through. This issue might give lawmakers the impetus to finally do so.
In addition to the FTC investigation, both the Massachusetts and New York attorneys general are looking to also investigate Facebook. How will that play into the FTC inquiry?
At the federal and state levels, when it’s a fairly large investigation you may see cooperation between the state and federal agencies. It wouldn’t surprise me if the FTC started working with the state attorneys general to coordinate an investigation because the rules that the states have are in harmony with the rules at the federal level. It’s important to watch and see what coordination may take place because in some instances, the state attorneys general have even more power than the FTC and are able to move with a little more agility in ways that can help bring about some sort of accountability. It wouldn’t surprise me to see states lead the way here, particularly if it comes out that the FTC is limited because of the governing consent order that they have with Facebook.