Regulators Are Figuring Out How to Make Google and Facebook Sweat

Fines go only so far, but something bigger is taking shape

Photo: Omar Marques/SOPA Images/LightRocket/Getty

The Wild West era may be drawing to a close for tech corporations like Facebook and Google. New scrutiny from regulators abroad — and some closer to home — is resulting in fines that portend more substantial changes on the horizon. Soon, your data may rest a bit more squarely in your control.

Last month, Google became one of the first U.S. companies to be punished under Europe’s General Data Protection Regulation, a sweeping consumer privacy and data protection law. The French regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), fined Google $57 million for breaching the law’s provisions on user consent. Per CNIL, Google failed to adequately disclose how a person’s information was used to serve advertisements.

The $57 million fine it isn’t much to the tech giant. (It amounts to roughly 0.15 percent of Google parent company Alphabet’s multibillion-dollar revenue in the most recent quarter alone.) But to the regulator, the fine was substantial. It was the largest-ever penalty for data privacy and was inflicted, CNIL said, due to the “severity of the infringements” and “continuous breaches of the regulation.”

No one sees this penalty as a one-off. Instead, it could be the beginning of a bigger change in how European regulators approach the entire online advertising industry, thanks to pressure from activist groups aggressively pursuing some U.S. technology giants.

While CNIL ultimately levied the penalty, the case was brought to it by a pair of privacy advocacy groups: None of Your Business (NYOB) and La Quadrature du Net. Under new European privacy rules, nonprofits like NOYB, which was founded by privacy activist Max Schrems, act as “fire alarms,” said Abraham Newman, a professor at Georgetown who focuses on international relations. More specifically, the groups can bring data privacy cases to regulators on behalf of users.

If NYOB and other activists succeed in getting European regulators to adopt a strict interpretation of the GDPR, they could fundamentally alter how companies like Facebook collect data from users. For example, tech companies could find themselves unable to demand that users give up personal information for the use of advertisers. “It would be a major rupture,” Newman said.

Consider that for years, Facebook has said — including in a recent op-ed penned by Mark Zuckerberg — that users actually want and benefit from targeted ads based on their personal information. Data sharing is baked into the business model.

It could be the beginning of a bigger change in how European regulators approach the entire online advertising industry.

“If Schrems succeeds in convincing regulators and courts that the two need to be separated, then Facebook and other e-commerce companies face an extraordinarily difficult choice: Either they abandon Europe, or they radically change their business model,” Newman and co-author Henry Farrell wrote in the Washington Post last year.

Meanwhile, the United States lacks a federal privacy law that directly regulates online advertising and social media companies. But change appears to be on the horizon here as well — at least when it comes to Facebook. In 2011, the Federal Trade Commission (FTC) charged the social media company with violating rules against deceptive practices because of how it shared users’ information with third parties.

In a settlement with Facebook, the FTC finalized a so-called consent decree in 2012 to force the social media giant to implement a more comprehensive privacy program. Among other things, that consent decree requires that a user give consent for their data to be shared with third parties.

You can see where this is going. Last year, a political consulting firm called Cambridge Analytica was revealed to have acquired data on up to 87 million Facebook users after exploiting a personality test app that harvested data from a user’s friends, even if they hadn’t taken the quiz. The FTC made a rare public statement in March that it was looking into the company.

The total penalty to Facebook could be “trillions of dollars,” said Sandeep Vaheesan, legal director of the Open Markets Institute. “The FTC has a lot of leverage here,” he added. Instead of just getting Facebook to write a check, Vaheesan said the FTC could use its leverage as a “hammer” to force broader changes from the company, like selling off WhatsApp and Instagram or limiting the collection of personal information from users — “sort of how like prosecutors use the threat of long prison sentences against low-level offenders.”

Back in 2011, Vaheesan explained, the FTC was more limited in the penalties it could impose on Facebook. Once it got the consent decree, however, its power to punish greatly expanded.

While a trillion-dollar fine is implausible (Facebook is worth a few hundred billion), a former FTC official told the Washington Post last year that it could exceed $1 billion. That far exceeds the $168 million penalty on Dish Network for violating the commission’s telemarketing rules — the largest civil penalty yet for violating the core law enforced by the FTC. When Google was punished for violating a consent decree in 2012, it had to pay $22.5 million as part of a settlement for violating a previous privacy order. And in January, the Washington Post reported, the FTC “met to discuss imposing a record-setting fine against Facebook.”

Investors took the news seriously. Facebook shares dropped as much as 7 percent when word of the investigation first leaked out last March, and the stock has yet to reach its previous price.

Even so, on the three earnings calls since the FTC’s renewed interest in Facebook was announced, not one analyst has specifically asked about the consent decree, although last week, David Wehner, chief financial officer at Facebook, said, “We’ve got other headwinds in terms of privacy, where the privacy landscape, I think, does create some risk to 2019 revenue growth… You know, we don’t know exactly how that will play out, but there’s obviously more scrutiny from the regulatory front.”