Facebook may be about to pay up. The Federal Trade Commission is reportedly weighing what kind of fine to impose on Facebook for some of its past actions—specifically, the privacy practices and lapses that allowed the voter analytics firm Cambridge Analytica to harvest the personal data of more than 87 million Facebook users without their consent in 2014. Last March, after the Cambridge Analytica story broke, the FTC began to investigate whether Facebook was in violation of an agreement it had made with the agency in 2011 that required the social network to obtain affirmative consent from users before accessing or sharing data about them beyond what they had explicitly agreed to. Under the consent decree, the FTC can fine Facebook up to $40,000 a day per individual violation, which for this snafu could amount to a bill as high as $2 trillion.
While it’s unlikely the fine will tally anywhere close to the trillions, the Washington Post reports that it’s likely going to be higher than the $22.5 million fine levied again Google last year for violating a privacy agreement with the FTC. It could be significantly higher. The FTC once landed on a $100 million settlement with the identify-theft protection firm LifeLock for deceptive advertising and failing to keep its customers’ data safe after violating a federal court order. But for Facebook, a fine in either of those neighborhoods would still probably just be a slap on the wrist, considering the company made more than $40 billion in 2017, or more than $109 million a day.
If the idea is to punish bad—and promote good—behavior, what size fine should Facebook receive? It’s first worth clarifying that Facebook really did mess up. The company had a 2011 agreement with the FTC not to share its users’ data without consent, but it wasn’t until 2014 that Facebook actually changed its data-sharing policy, which allowed developers to access not only the data of users who downloaded or agreed to use their apps, but also their friends’ data. From the looks of it, Facebook likely did not obey its consent decree—and because of its loose policies, one of those third-party developers was able to slip a massive amount of user data to Cambridge Analytica.
Certainly, Facebook should face consequences for its actions. But it’s hard to imagine an amount of money the feds would consider that would even give the company reason to flinch—there’s just no history of the FTC leveling such high fines. Theoretically, the U.S. could issue a European Union–size slap on the wrist, a la the $5 billion regulators levied at Google in 2018 for anticompetitive practices in the Android smartphone market. That would certainly scare any company. But there’s really no precedent that suggests a fine that big would be applied in the U.S. anytime soon.
But the fine’s size isn’t the only variable. Rather, according to Jennifer Taub, a professor at Vermont Law School who focuses on corporate governance and regulation, a better question would be where the money that Facebook pays is going to come from. And one problem, Taub says, is that “the people who pay the fine are the shareholders. The company pays it, but ultimately the people who feel the hurt there will be the shareholders.” FTC actions generally are aimed at the behavior of a company, not individuals, and shareholders own the company.
Shareholders don’t determine Facebook’s policies; executives do. According to Security and Exchange Commission filings, Facebook CEO Mark Zuckerberg took home nearly $9 million in total compensation in 2017 while Chief Operating Officer Sheryl Sandberg’s bag exceeded $25 million that year. Whatever Facebook pays the FTC, it isn’t likely to come from the pockets of people who actually got the company (and its users) into a privacy nightmare. But it could if the FTC got a little creative and required that any settlement payment come from the compensation of Zuckerberg and other senior executives. “To me it would be just for the entire fine to come from executives and the board of directors,” Taub said. “Pass the hat around and then you get the fine. That would be the best way to manage this and deter this behavior in the future.”
Even if the FTC is unlikely to take such a step, the board of directors at Facebook could theoretically still push the fine back to the executives—though that’s particularly unlikely in Facebook’s case, since Zuckerberg has 60 percent of the voting power. That might be an argument for further requirements from the feds, according to Nell Minow, vice chair of ValueEdge Advisers, a corporate governance consulting firm. “What the government needs to do is insist that there be very significant changes in corporate governance structure,” says Minow. “That’s the only thing that will make a difference here. They need independent directors.” In other words, without the money coming from their pocketbooks or the threat of losing power, Facebook executives might be perfectly content paying $20 million a year or $100 million.
If the government wants to get serious about regulating Facebook, that kind of approach could be an important tool. It’s true that Facebook has made it significantly harder for outside developers to scrape and access the data of users in recent years, though it didn’t close some funnels until after the Cambridge Analytica scandal reached full boil last spring. It also didn’t disclose the problem until journalists uncovered it, much like a number of embarrassing revelations about the company’s practices that emerged throughout 2018. Eventually this public scrutiny will die down, however, and there may not be much preventing Facebook from once again erring toward permissiveness when it comes to user privacy.
The FTC isn’t the only federal agency investigating Facebook right now. The SEC is also probing the company, as is the FBI and the Department of Justice, and changes to corporate governance might be one outcome of those inquiries. Whatever punishment is levied, making sure that executives feel it is probably a pretty good way to give users faith that Facebook’s old patterns won’t repeat themselves again.