Facebook doesn't only face the prospect
of as much as $5 billion in fines by the Federal Trade Commission. The company also may create a new privacy committee, and hire an outside expert to evaluate compliance, in order to settle an
investigation into its data-sharing practices.
But Facebook likely will be able to continue to share information about users with developers, advertisers and other outside parties -- provided
that it notifies users about the practice. That's the gist of reports in Politico and The New York Times about a potential deal between the FTC and Facebook.
Facebook declined to
comment on reports of the possible deal.
News of the possible resolution is already being met with skepticism. Marc Rotenberg, executive director of the Electronic Privacy Information Center,
told Politico that nothing in the reported terms would “establish new privacy obligations” or ensure compliance.
If it goes through, the settlement would resolve an investigation
into whether violated a 2012 consent decree by allowing political consultancy Cambridge Analytica to harvest data from up to 87 million users. That consent decree prohibits Facebook from
misrepresenting its privacy practices, and from misrepresenting the extent to which it makes users' information available to third parties. The seven-year-old order also requires the company to obtain
biennial privacy audits by an outside company -- a requirement that seems similar to the potential new mandate for an outside evaluator.
While the new potential settlement may not be as tough
as privacy advocates would like, it's also not clear that the FTC would be able to prevail in a court battle with Facebook. That's because Facebook may have a good argument that it adequately notified
users their data could be given to developers.
Cambridge Analytica obtained the data from researcher Aleksandr Kogan, who collected it in 2014 through the personality-quiz app
"thisisyourdigitallife." Only 270,000 Facebook users downloaded Kogan's app, but he was able to gather data about many of those users' contacts.
At the time, Facebook allowed developers to
glean information about users' friends, subject to their privacy settings. Facebook's terms of service prohibited developers from sharing that information. (In April of 2015, Facebook stopped allowing
developers to access data about users' friends.)
Facebook has said in court papers that its privacy policies in 2014 informed users that their data could be shared.
At least one judge
has suggested Facebook may have a point. U.S. District Court Judge Vince Chhabria in the Northern District of California, who is presiding over a class-action lawsuit stemming from the Cambridge
Analytica data harvesting, recently suggested that Facebook disclosed its practices to users via privacy policies.
“If you read the words, you come away knowing that even if you limit
your settings so that you're sharing only with friends, these third-party apps can communicate with your friends and get all of the information that your friends have access to unless you further
change your settings,” Chhabria said recently in court.
“Even then,” Chhabria continued, “you can further change your settings, but if you want to have a meaningful
Facebook experience, apps are still going to get some subset of information about you. All of that seems to be disclosed.”