On Facebook, the FTC, and 5 BILLION dollars

There are so many ways to look at the FTC’s $5B Facebook fine and the sweeping settlement order that was announced today. Facebook is a repeat offender, and much will be made of how unique they are in the marketplace and how distinct every other company’s risk profile might be. Few companies will have the opportunity to abuse more data than Facebook, or to anger politicians for being complicit in the bending of the democratic process in the US and across the pond. Despite all of this, the fine is relevant for everyone in privacy and everyone in tech.

• Privacy infractions have never been anywhere close to this expensive on a relative basis. We’re now talking about fines that can wipe out the operating profit of significant public companies. There is no company on Earth with a board that fails to notice a $5B fine.
• Everyone has been talking about the 4% annual turnover fining authority of the Europeans under GDPR, and will they (shudder) dare to ever use it? Well the US just beat them to the punch. With a fine that exceeds 4%.
• Once again, the EU leads on privacy, we call them crazy, and then we wake up in their world. This is the new normal.
• The FTC just introduced criminal liability for Facebook executives. I don’t care what you think of the financial invulnerability of their executive team. I guarantee you this has their attention.
• The settlement order requires Facebook to create significant new oversight roles in their management structure, including roles with autonomy and independence. The US appears to be acknowledging that roles akin to a Data Protection Officer (DPO) have an important role to play in the US market, especially where business models might cut against consumer interests. There are significant organizational requirements that many tech companies will be taking under consideration as they think about their own governance, especially in light of CCPA and whatever else is coming our way in 2020.
• Facebook immediately announced the nomination of a product marketing exec to their CPO role. I’m just going to let that sink in for a moment. Clearly, the answer to all of their privacy problems had been sitting at the executive table the whole time. A party to all of those decisions that have put them in the current predicament.
• Facebook is the commercial equivalent of a rocket propelled mountain. They can absorb the financial and brand damage of the moment, and if they are able to extract some operating lessons, recover. You can’t. If you take the lesson that they have not been destroyed by these actions, you’re missing every point that is applicable to you and your company.
• Despite all of this, the lessons for early stage startup and VC communities has to be more muddled. Every VC that cheered Facebook on has made billions. The company has minted hundreds of millionaires. For these individuals, is $5B their tip to the government before riding off into the sunset? Perhaps.
• This settlement was controversial and political within the commission. Both Democratic commissioners voted against the settlement on the basis that it didn’t go far enough in holding the organization and key executives accountable. So the Republicans all voted for the largest privacy fine ever, anywhere. And the Democrats wanted to go further. How does this balance shift after the 2020 elections?

When we take all of this together, we find ourselves in a world that is changing quickly. Privacy rules and enforcement are suddenly a bipartisan, global priority, and the stakes have just leveled up considerably.

If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!

The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at hello@lucidprivacy.io or visit us on the web or Twitter.