Do the latest fines against Facebook matter or is Facebook going to continue with business as usual?
Last week the US Federal Trade Commission finally agreed upon a suitable punishment for Facebook’s repeated privacy transgressions and fined them. This fine covered a number of highly public data breaches and misbehaviors like the Cambridge Analytica scandal, so it had to be a serious fine. And it was. In fact, it was the biggest fine ever levied: a record-breaking $5 billion. Yes, you read that correctly – five billion with a ‘B’. Impressive, right?
Not only does this fine still have to be approved by the Justice Department, but Facebook was anticipating it and back in April announced that it had set aside $3 billion to pay it. Bear in mind that they also reported over $15 billion in revenue last quarter and made $22 billion in profit last year. Oh, and their earnings are up 26% over last year as well. If they do actually get fined $5 billion that’s going to be less than 10% of the cash and marketable securities they had on hand back in April.
Meanwhile, Facebook did such an excellent job of forewarning investors about the potential fine that their stock price went up about 5% when the penalty was announced. Think about that for a second: the loss of about one month’s worth of revenue was immediately negated by a surge in the value of Facebook stock. Mark Zuckerberg literally saw his net worth increase because of the largest fine in US history.
Is Facebook Going to Change How It Does Business?
The issue here is that despite record fines (Google was hit with a then-record $22 million in 2012), the vast profits made by some companies are making them effectively un-finable. Short of adding a few more zeroes, there’s every reason for these tech giants to treat these fines as the cost of doing business and just ignore any regulations they find inconvenient. And that’s going to be a big problem for governments trying to protect their citizens and their data.
So how does one set fines for megacorporations that can generate massive profits without providing draconian penalties for smaller players a fraction of their size? The case-by-case method currently used by the FTC is obviously not working and it’s extremely slow. Another option is the way the EU General Data Protection Regulation (GDPR) works. Offenders can be fined up to 4% of their annual global turnover or 20 million Euros. That makes it a lot easier to scale the punishment to fit the size of the criminal. It’s also going into effect a lot faster.
GDPR Equivalent in the US
So will we see GDPR-like regulations in the US going forward? Anything’s possible – but note that the closest thing we currently have is the California Consumer Privacy Act (CCPA) which can fine organizations up to $7,500 per violation. That can certainly add up, but it’s not based on a percentage of the offender’s revenue so it’s probably not going to scale beyond a certain point. As organizations consolidate and get bigger and bigger, their profits and pocketbooks get more and more massive. How long before a particularly wealthy healthcare organization decides that the $10,000/violation HIPAA fine is an acceptable cost of doing business for reselling patient information?