Facebook doesn't only face the prospect of as much as $5 billion in fines by the Federal Trade Commission. The company also may create a new privacy committee, and hire an outside expert to evaluate compliance, in order to settle an investigation into its data-sharing practices.
But Facebook likely will be able to continue to share information about users with developers, advertisers and other outside parties -- provided that it notifies users about the practice. That's the gist of reports in Politico and The New York Times about a potential deal between the FTC and Facebook.
Facebook declined to comment on reports of the possible deal.
News of the possible resolution is already being met with skepticism. Marc Rotenberg, executive director of the Electronic Privacy Information Center, told Politico that nothing in the reported terms would “establish new privacy obligations” or ensure compliance.
If it goes through, the settlement would resolve an investigation into whether violated a 2012 consent decree by allowing political consultancy Cambridge Analytica to harvest data from up to 87 million users. That consent decree prohibits Facebook from misrepresenting its privacy practices, and from misrepresenting the extent to which it makes users' information available to third parties. The seven-year-old order also requires the company to obtain biennial privacy audits by an outside company -- a requirement that seems similar to the potential new mandate for an outside evaluator.
While the new potential settlement may not be as tough as privacy advocates would like, it's also not clear that the FTC would be able to prevail in a court battle with Facebook. That's because Facebook may have a good argument that it adequately notified users their data could be given to developers.
Cambridge Analytica obtained the data from researcher Aleksandr Kogan, who collected it in 2014 through the personality-quiz app "thisisyourdigitallife." Only 270,000 Facebook users downloaded Kogan's app, but he was able to gather data about many of those users' contacts.
At the time, Facebook allowed developers to glean information about users' friends, subject to their privacy settings. Facebook's terms of service prohibited developers from sharing that information. (In April of 2015, Facebook stopped allowing developers to access data about users' friends.)
At least one judge has suggested Facebook may have a point. U.S. District Court Judge Vince Chhabria in the Northern District of California, who is presiding over a class-action lawsuit stemming from the Cambridge Analytica data harvesting, recently suggested that Facebook disclosed its practices to users via privacy policies.
“If you read the words, you come away knowing that even if you limit your settings so that you're sharing only with friends, these third-party apps can communicate with your friends and get all of the information that your friends have access to unless you further change your settings,” Chhabria said recently in court.
“Even then,” Chhabria continued, “you can further change your settings, but if you want to have a meaningful Facebook experience, apps are still going to get some subset of information about you. All of that seems to be disclosed.”