If Facebook has to pay a Federal Trade Commission penalty for the Cambridge Analytica data scandal, it will join a very short list of companies to have done so.
Of 91 cases involving online privacy issues the Federal Trade Commission has brought since the first in 1998, just two companies have paid civil penalties specifically for violating adult users' privacy, a USA TODAY analysis of FTC data shows.
They are Google, which paid $22.5 million in 2012 and Upromise, which paid $500,000 in 2017.
The numbers aren't surprising to experts because of the constraints on the FTC when it comes to policing consumers' privacy rights.
Broken promises
The United States does not have a specific law against privacy breaches. The FTC, a government watchdog agency, can only bring an action against a company if it promised to protect customers' privacy and then didn't live up to its vow, or if the company violated specific rules protecting the privacy of children or credit reporting. In a few cases it has also demanded companies pay back money obtained fraudulently.
When children or credit reporting aren't involved, it can't extract monetary penalties unless a company has already reached a settlement with the commission for breaching privacy promises, and then finds the company violated the settlement. If a company refused to reach a settlement, the FTC could take legal action and potentially demand penalties immediately.
Because it's already under an FTC settlement, Facebook risks becoming one of the rare cases in which a company is hit with monetary penalties, a rap that could total millions of dollars.
It had its "first strike" in 2011 when the FTC found it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowed it to be shared and made public, according to the FTC.
It agreed to a consent decree that barred it from making misrepresentations about the privacy or security of consumers' personal information, required it to ask users to agree before enacting changes that override their privacy preferences and prevented it from letting anyone access a user's material more than 30 days after the user has deleted his or her account.
In addition, Facebook was required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services. It also had to produce independent, third-party audits of that privacy program every two years for the next 20 years.
Cambridge Analytica triggers a probe
Last month, on the eve of two explosive newspaper investigations, Facebook disclosed that it knew in 2015 that nearly 300,000 Facebook users who had downloaded a personality quiz app called This Is Your Digital Life had their information shared with Cambridge Analytica. Facebook failed to alert individual users that their data had been improperly harvested until this month.
The FTC is now investigating whether allowing the personal information of 87 million users to be accessed by political ad targeting firm Cambridge Analytica, without their consent, constitutes a violation of that decree. If the FTC finds it does, that could lead to civil penalties of as much as $16,000 for each violation of the order.
Facebook CEO Mark Zuckerberg doesn't think it will come to that.
In his testimony before Congress last week, he said "it certainly appears that we should have been aware that this app developer submitted a term that was in conflict with the rules of the platform."
But when asked whether the incident amounted to a violation of the FTC settlement, Zuckerberg said no.
"My understanding is that—is not that this was a violation of the consent decree," he said.
Google's $22.5 million penalty
If Facebook does end up paying, it will become just the third company guilty of this kind of violation be forced to do so. In the majority of cases the FTC has brought against companies for online privacy issues—49 of 91— the commission couldn't ask for money. Instead it reached a non-monetary settlement agreement with the companies, essentially a "first strike." Should those companies get a second strike, they could be subject to a monetary penalty, but not before.
The settlements require them to implement a comprehensive privacy program and generally obtain regular, independent audit. Usually the company must file a report every two years for 20 years after the settlement, as Facebook has been.
Money from civil penalties only comes into play when a company has breached its "first strike" settlement agreement, which both Google and Upromise did. At that point the FTC can hit the company with penalties.
Google paid out the largest amount so far, $22.5 million, from a 2012 commission finding that the company misrepresented to users of the Safari Internet browser that it would not place tracking "cookies" or serve targeted ads to those users.
That violated a 2011 settlement order the FTC had with the company over Google's Buzz social network that was part of Gmail. Google had led Gmail users to believe that they could choose whether or not they wanted to join the network, but the options for declining or leaving the social network didn't fully work.
In the Upromise case, which cost it $500,000, the FTC found in 2017 that the company didn't disclose to consumers the full extent of the data it collected about them or how it used that data.
This violated a 2012 agreement the FTC had with the membership reward service, which was aimed at consumers trying to save money for college. It had used a web-browser toolbar to collect consumers' personal information without adequately disclosing the extent of the information it was collecting.
There has been one case in which a seeming second strike didn't result in a payout. Last week the FTC strengthened its settlement with Uber over a 2016 breach in which tens of millions of Uber riders and drivers' data was accessed, without adding civil penalties.
However the 2017 settlement with Uber hadn't yet been finalized. Administrative complaints and orders must go out for public comment and must gain final approval from the Commission after the comment period. Because that hadn't yet happened, there was no basis for seeking civil penalties from Uber.
Were users deceived?
In Facebook's case, FTC commissioners will now must determine whether it did indeed violate the terms of its settlement. Experts don't agree on what that outcome might be.
"One has to make an argument that consumers were deceived about friend information sharing, and that's a difficult point to prove," said Chris Hoofnagle, a law professor a the University of California at Berkeley and author of Federal Trade Commission Privacy Law and Policy.
Others say there's no question Facebook will be dinged.
"This has got to be about the easiest case ever presented to the FTC," said Marc Rotenberg, executive director of the non-profit Electronic Privacy Information Center in Washington D.C. EPIC pushed the FTC to include privacy in its purview back in 1995 and sued the agency in 2012 for not enforcing the order against Facebook.
He expects Facebook's penalty will be between $100 and $200 million and will take between three months and a year to be issued.
In many ways, money will be the least of Facebook's concerns, said William Kovacic, a law professor and privacy expert at George Washington University.
With a market capitalization of $485 billion, even hundreds of millions of dollars is just a rounding error for Facebook. Far more damaging could be a new settlement the FTC might bring against the company,one that imposes even stronger conditions on how it can treat users' data—and make money from it—in the future.
In his testimony before Congress last week, Facebook CEO Zuckerberg said, "We need to take a broader view of our responsibility around privacy than just what is mandated in the current law."
"The FTC might say, 'You better believe it,'" said Kovacic, who chaired the FTC from 2008 to 2009.
As the FTC gets a better handle on the extent of data collection and use by such sites, it could begin to do more on privacy enforcement than it has in the past.
"I think this is just a beginning of a long and animated debate about privacy," said Stephen Calkins, a law professor at Wayne State University Law School. He served as general counsel for the Federal Trade Commission from 1995 to 1997.
Explore further: Facebook's facial recognition violates user privacy, watchdog groups plan to tell FTC