Nothing in the FTC’s and states’ complaints’ prayer for relief seeks to give users greater control over their data, such as not being tracked for behavioral advertising purposes. Even with an independent Instagram and WhatsApp, Facebook will still be a formidable force thanks to its data advantage.
If any agency can tackle the abuses and risks posed by Facebook, it’s the Federal Trade Commission. To effectively tackle monopolies, Congress enacted in 1914 the Federal Trade Commission Act, which gave the new agency broad powers to deter myriad forms of unfair competition beyond traditional antitrust violations.
Besides the broad antimonopoly powers, Congress also gave the FTC expansive power to deter deceptive practices (beyond those proscribed under common law fraud). And the FTC is the primary enforcer of privacy protections today in the United States. It enforces, among other things, the Children’s Online Privacy Protection Act (COPPA), which is intended to provide parents greater control over what information websites can collect from their children. For most privacy and data protection issues, including companies’ lax data protection measures and deceptive privacy policies, the FTC relies on Section 5 of the FTC Act.
So when a powerful platform, like Facebook, lies to users to extract their data, degrades privacy protection after acquiring potential threats (such as WhatsApp), and uses that vast trove of personal data to addict us, manipulate us with behavioral ads, and maintain its dominance, the FTC could rise to the challenge. Unlike any other federal or state agency, the FTC has multiple weapons to target privacy, consumer protection, and antitrust violations.
But so far, the FTC hasn’t done that. It’s not because of ignorance. Like the German, Australian, and UK competition authorities, the FTC recognizes that Facebook’s power comes from the variety and volume of personal data it amasses, and its velocity in processing that data to profit from behavioral advertising. It knows that until Facebook’s surveillance and expropriation of our data are directly addressed, the problems and risks posed by the dominant social network won’t go away.
It’s not because of a lack of opportunity. With the recent antitrust complaint, the FTC has had three opportunities to rein in Facebook’s data-opoly.
So, if the source of the data-opoly’s power is its extraction of data, why hasn’t the FTC addressed the root of the problem? To put the recent FTC’s and states’ monopolization complaints in context, we need to first look at the FTC’s 2011 and 2019 consent decrees against Facebook. Only then can we look at what the 2020 complaints add, what’s still missing, and what needs to be done.
I. The 2011 and 2019 Consent Decrees
The FTC first sued Facebook in 2011 for its deceptive privacy settings and statements. The dominant social network made many promises that it failed to keep, including:
- representing that third-party apps that users’ installed would have access only to Facebook user information that they needed to operate, when in fact, “the apps could access nearly all of users’ personal data – data the apps didn’t need”;
- telling “users they could restrict sharing of data to limited audiences—for example with ‘Friends Only,’” when in fact, “selecting ‘Friends Only’ did not prevent their information from being shared with third-party applications their friends used;”
- claiming it certified the security of participating apps under its “Verified Apps” program when it didn’t; and
- promising users that “it would not share their personal information with advertisers,” when it did.
Facebook settled, obligating itself to live up to its privacy promises to its users.
But, as the FTC found, Facebook soon broke that promise. Facebook continued to subvert “users’ privacy choices to serve its own business interests.” It continued to deceive users, by sharing their information with app developers, including the app This Is Your Digital Life, which funneled sensitive personal data on Facebook users and their friends to Cambridge Analytica.
Not only did Facebook violate the 2011 consent decree, but it engaged in additional deceptive conduct. For example, Facebook asked users for their telephone numbers ostensibly for a two-factor authentication security feature to help keep their accounts secure. But Facebook then used the telephone numbers for advertising purposes without telling users of that purpose.
In 2019, the FTC, in a 3-2 decision, imposed a record $5 billion penalty, added new privacy and data security obligations on Facebook, and devised a new governance structure.
Facebook’s repeated privacy violations are revealing in several ways.
First, it illustrates the shortcomings of the current enforcement under section 5 in protecting our privacy. While Facebook was ordered in 2011 to establish and maintain a “comprehensive privacy program” designed to protect the privacy and confidentiality of personal information, the opposite happened. The 2019 Complaint discusses how Facebook repeatedly violated the FTC order and used our data as currency with third-party apps to increase its profits and power:
“Even though Facebook acknowledged the data-privacy risks associated with the data access it gave to third-party developers, on numerous occasions, while determining whether to continue granting a particular developer access to user data, it considered how large a financial benefit the developer would provide to Facebook, such as through spending money on advertisements or offering reciprocal data-sharing arrangements.
At one point in 2013, for instance, Facebook considered whether to maintain or remove data permissions for third-party developers based on whether the developer spent at least $250,000 in mobile advertising with Facebook.” 1
So neither the law nor the risk of being in contempt of an FTC order deterred Facebook.
Second, the risk of antitrust enforcement under Section 5 did not deter Facebook either. This is not surprising. Before the Google and Facebook monopolization cases in 2020, the US competition authorities rarely brought monopolization cases, with the last significant one in the 1990s against Microsoft.
A third, perhaps more glaring, problem is the FTC’s response to the data-opoly’s repeated and significant privacy violations. The Cambridge Analytica scandal exposed how Facebook was sharing vast amounts of personal data with third parties without the users’ consent, and contrary to its requirements under the FTC order. Confronted with a repeat offender, the FTC could have reined in the data-opoly.
All five FTC Commissioners, in the 2019 consent decree, recognized that personal data is a key source of this data-opoly’s power. It was undisputed that Facebook’s incentive was to continue to amass personal data to target users with behavioral ads. Given Facebook’s continued dominance, its incentives under its behavioral advertising-dependent business model, and the inability of users to switch to viable alternatives, the FTC could have required, as Germany’s antitrust agency did in its prosecution of Facebook, substantive privacy remedies.
Tellingly, the FTC did not. The 2019 consent decree did not restrict Facebook’s ability to continue to harvest personal data for behavioral advertising. Nor did the FTC limit (i) what data Facebook could share with third-parties, (ii) the extent to which Facebook could combine user data internally from what it collected from Instagram, Facebook, and WhatsApp, and (iii) the data Facebook could collect from users and non-users when they weren’t even on Facebook.
The absence of privacy protections, for the two dissenting FTC Commissioners, was a deal-breaker. Commissioner Slaughter could not “view the order as adequately deterrent without both meaningful limitations on how Facebook collects, uses, and shares data and public transparency regarding Facebook’s data use and order compliance.” As Commissioner Rohit Chopra noted, “Facebook’s violations were a direct result of the company’s behavioral advertising business model” and the FTC’s settlement did “little to change [Facebook’s] business model or practices that led to the recidivism.”
But for three FTC commissioners, any substantive privacy protections were beyond the agency’s power under the FTC Act: “Our 100-year-old statute does not give us free rein to impose these restrictions.” For these three commissioners, the extent to which Facebook, or any other company, should be able to collect, use, aggregate, and monetize data, is something Congress should evaluate in its consideration of federal privacy legislation.
II. 2020 Monopolization Complaints
One year later, the FTC and nearly every state attorney general alleged how Facebook stifled competition, which deprived users of, among other things, better privacy and data collection options.
The FTC’s and states’ complaints allege that Facebook illegally maintained its monopoly, in violation of section 2 of the Sherman Act, through its acquisition of nascent competitive threats (Instagram and WhatsApp in particular). Using its nowcasting radar (where it uses personal data to identify which apps are potential threats), Facebook pursued an Acquire-Copy-or-Kill (ACK) strategy. As Facebook’s CEO Mark Zuckerberg said in an internal e-mail, “it is better to buy than compete.”
If the target rebuffed Facebook’s offer, it could incur the “wrath of Mark.” Facebook, for example, coupled “its acquisition strategy with exclusionary tactics that snuffed out competitive threats and sent the message to technology firms that, in the words of one participant, if you stepped into Facebook’s turf or resisted pressure to sell, Zuckerberg would go into ‘destroy mode’ subjecting your business to the ‘wrath of Mark.’” Facebook could deny the rival scale by copying the start-up’s innovative features. Also, Facebook would cut off access to the rival, and any firm helping the rival, to its social network’s APIs, which are necessary to effectively compete (as Vine leaned when Facebook cut off access to its Find Friends API).
So, among the remedies the FTC seeks are (1) divestiture of Facebook’s “assets, divestiture or reconstruction of businesses (including, but not limited to, Instagram and/or WhatsApp);” (2) veto power over future acquisitions where Facebook must give the FTC notice and obtain the agency’s approval before merging with or acquiring another entity; and (3) permanently enjoining Facebook from imposing anticompetitive conditions on access to its APIs and data.
III. So What’s Missing?
Nothing in the complaints’ prayer for relief seeks to give users greater control over their data, such as not being tracked for behavioral advertising purposes. The stakes, as Commissioner Chopra noted in 2019, are huge:
“The case against Facebook is about more than just privacy – it is also about the power to control and manipulate. Global regulators and policymakers need to confront the dangers associated with mass surveillance and the resulting ability to control and influence us. The behavioral advertising business incentives of technology platforms spur practices that are dividing our society. The harm from this conduct is immeasurable, and regulators and policymakers must confront it.”
But the FTC still hasn’t confronted it. While the states’ complaint discusses how Facebook abuses its dominance by expropriating significant amounts of personal data, neither the FTC nor the states address specific steps to deter Facebook’s data hoarding, surveillance, and manipulation. There is some precedent. Germany’s antitrust agency, for example, in its abuse of dominance case, prohibited Facebook from collecting personal data from third-party websites and assigning them to a Facebook user account, unless the user freely and voluntarily opts-in.
Perhaps the assumption is that the proposed relief will invigorate competition, which will require Facebook, as it did early on, to improve privacy protections. In spinning off Instagram and WhatsApp, Facebook’s protective moat will shrink, and Facebook would now face more competitive pressure. In blocking future “killer acquisitions” and preventing Facebook from killing off smaller rivals by withholding access to its APIs and data, the FTC will defang the A and K of the ACK strategy leaving only Facebook’s copying the start-up’s innovative features, a tactic left to intellectual property law to deal with (if at all).
Perhaps privacy competition may increase down the road. But Facebook’s monopoly has been durable, even with the #deleteFacebook campaign after the Cambridge Analytica scandal and a recent advertiser boycott.
One factor, as the antitrust complaints address, is network effects. Another factor is Facebook’s data advantage, which translates to an advertising advantage. So, even with an independent Instagram and WhatsApp, Facebook will still be a formidable force.
But more competition may not be necessarily better. Without effective privacy safeguards, we may simply have more companies competing to addict us to their products and grab our data. As our new book Competition Overdose: How Free Market Mythology Transformed Us from Citizen Kings to Market Servants explores, we may be left with the toxic competition.
IV. What Needs to be Done
Even though the FTC was given broad powers to tackle data-opolies and determine what constitutes unfair methods of competition beyond those practices already prohibited by the Sherman Act, the FTC, according to several of its current commissioners, claims it is powerless to protect the 223 million Facebook users in the US with substantive relief.
So, if the FTC cannot limit the data-opolies’ expropriating our data, which other US agencies can? None.
The US, unlike Europe, does not have a baseline privacy framework. Instead, privacy protection in the US is a patchwork of the FTC Act, common law torts, state laws, constitutional claims, and specific statutory protections, such as COPPA.
A baseline privacy framework is very much needed. Without it, the federal and state agencies cannot curb the data-opolies’ expropriation of our data. Without it, the race to profile us, addict us, and manipulate us, to profit from behavioral advertising will continue.
Thus, while we should celebrate the recent monopolization cases against Facebook and Google, don’t expect their creepy surveillance to end. The challenge for the Biden administration and Congress is to enact the privacy framework that attacks the source of the problem: the surveillance economy that a few powerful platforms have designed for their benefit, at our expense.
- FACEBOOK 2019 COMPL. AT ¶¶ 88-89. IN APRIL 2015, FACEBOOK FINALLY REMOVED GENERAL ACCESS TO AFFECTED FRIEND DATA BUT GRANTED SPECIAL ACCESS TO AFFECTED FRIEND DATA TO CERTAIN DEVELOPERS WITHOUT TELLING USERS. BUT FACEBOOK PRIVATELY GRANTED CONTINUED ACCESS TO FRIEND DATA TO MORE THAN TWO DOZEN DEVELOPERS—THE WHITELISTED DEVELOPERS—WHICH INCLUDED GAMING, RETAIL, AND TECHNOLOGY COMPANIES, AS WELL AS THIRD-PARTY DEVELOPERS OF DATING APPS AND OTHER SOCIAL-MEDIA SERVICES. FACEBOOK 2019 COMPL. AT ¶ 8.[↩]