Facebook may soon face a reckoning in Washington.
The social media giant has been in an uncomfortable spotlight for months since the Cambridge Analytica scandal, but Congress and the Federal Trade Commission haven't taken any action against the company beyond their respective inquiries into Facebook's data-use practices.
This week’s revelations that the social media giant quietly shared users’ personal data with dozens of device manufacturers over the last decade may tip the scales. Legislation to rein in Facebook’s practices — and even stiff penalties from the FTC — are starting to look like a real possibility, even in a Congress typically slow to move on tech issues.
Lawmakers fired off letters with questions about how Facebook shares data with other companies. At least one senator is calling for chief executive Mark Zuckerberg to return to the Capitol for another round of grilling. And it may be more than just talk this time: Lawmakers are already talking about legislative solutions.
“Facebook is learning hard lessons that meaningful transparency is a high standard to meet," said Sen. John Thune (R-S.D.), chair of the Senate Committee on Commerce, Science, and Transportation, which is looking into Facebook's data privacy practices. "We’ve asked them to disclose some important but perhaps uncomfortable information and we’ll see how they respond.”
The New York Times reported Sunday that Facebook had struck data-sharing partnerships with at least 60 device makers — including Apple, BlackBerry and Samsung — over the past decade, giving them access to troves of personal information about its users. The arrangements were designed to make it easier for Facebook users to use the site on different platforms that didn't support its app, but lawmakers worried the data might have been harvested without user consent. The controversy deepened on Tuesday, when Facebook admitted that Huawei, a Chinese telecom firm that military and intelligence officials have called a security risk because of its alleged links to the country’s government, was one of the companies that got special access.
All this comes in the wake of disclosures that Cambridge Analytica, a data firm that contracted with President Trump's campaign, improperly obtained the personal information of millions of Facebook users. Taken together, the controversies are giving some lawmakers the impression Facebook is playing fast and loose with users' privacy — and could galvanize support for a legislative solution.
Lawmakers are pointing to two main vehicles emerging in Congress.
One is the Consent Act, a bill sponsored by Sen. Ed Markey (D-Mass.) that would require Facebook and other tech companies such as Google to get explicit permission from users before doing anything with their personal information. It would also require those companies to notify users about all collection, use and sharing of their data. A Markey spokeswoman told me legislation would bar Facebook from sharing precisely the type of user data its agreements apparently allowed the device makers to access. (Meanwhile, the company has defended the arrangements with device makers, saying it had “signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences.")
The second bill, the Social Media Privacy and Consumer Rights Act, introduced by Sens. Amy Klobuchar (D-Minn.) and John Neely Kennedy (R-La.), proposes similar rules allowing users to opt out of data collection. Additionally, it would allow users to prevent companies from tracking their data, require privacy policies to be written in "plain language" and guarantee users the ability to see what companies have already collected on them.
“I’m extremely concerned about reports that even more personal data was provided without consent, particularly about today’s report that some personal data may have been shared with a Chinese telecom company that the Department of Defense identified as a security threat," Klobuchar told me in an email. “That’s why my focus is on protecting consumers’ privacy online, promoting transparency in how their data is handled, and passing my bipartisan privacy bill with Senator Kennedy.”
Both bills were introduced in the wake of the Cambridge Analytica revelations, but may get more support now.
The FTC — which is already investigating Facebook's data practices — also has options. Facebook is bound by a 2011 consent decree with the agency over a different privacy matter to be more transparent about the data it collects about its users. Thune, Markey and other lawmakers are now questioning whether Facebook's arrangements with device makers violated that agreement.
The FTC may have grounds to hit Facebook with "significant financial penalties" if it violated the consent decree, according to William Kovacic, a former FTC general counsel, commissioner and chair.
But even if the disclosures about sharing data with device makers don't run afoul of the agreement, "I think this intensifies the FTC scrutiny in the inquiry that’s going on now and it creates pressure on the agency to do something more bold rather than something more restrained," he told me.
It's also possible to amend the existing consent decree, Kovacic said. A retooled version could "more precisely and more completely" spell out Facebook's privacy obligations, he said, and instruct the company in "more expansive and more detailed in terms of what they need to do."