I think Facebook could probably characterize 2019 year-to-date as “less than fantastic.”  The ongoing fallout from Cambridge Analytica in the UK, massive consumer distrust, the internal strife between what appears to be Team Zuck versus Team Cheryl, and now the looming multibillion-dollar fine that FTC seems to be preparing. It’s enough to make you drink.

Honestly, there really wasn’t much chance that this huge fine didn’t happen, for a few reasons.  First, public perception (and anger) at Facebook has reached a high enough point that the government feels like it needs to take some action.  I’m not saying that the #deletefacebook movement spurred federal involvement, but I am definitely saying that public opinion didn’t hurt.  And some research indicates that those opinions have been followed by real action, with large numbers of Facebook users quitting in the past several months.

So maybe FTC is striking when Facebook is weak?  Not so much.  Despite public anxiety of Facebook’s activities, investors and the markets seemed less concerned, with Facebook posting strong returns for Q4 2018.  But this, paradoxically, is another catalyst for FTC action: strong returns mean that the Street isn’t worried about Facebook’s financial health, which, in turn, gives Facebook less incentive to change their ways and modify those questionable, but oh-so-lucrative policies that got them into this mess.  Without a market-driven reason for modification of their behavior, the FTC presumably saw a reason to get involved.  It was part of the thinking that drove DOJ’s decades-long fight against Microsoft.

Last — and to me, most importantly — FTC has a unique opportunity right now.  The combination of public anxiety over tracking and privacy, Congressional inactivity on privacy, and a general belief that Facebook is a bad actor, taken all together, gives FTC justification to cement its position as the US’s data protection authority in a way that even FTC v. Wyndham didn’t: by capturing the public mood and appearing to strike a blow for personal privacy.  I’m not being cynical, I am confident that FTC’s actions are motivated by concerns with Facebook’s conduct and a desire to deter other companies from following suit.  But you could hardly ask for a better political environment than this to conspicuously don the mantle of privacy avenger, and FTC is doing just that.

One likely unanticipated outcome from all of this is that the chances of a comprehensive federal privacy law diminish in inverse proportion to the size of the Facebook fine.  There are, as we’ve mentioned, a few federal laws on privacy in the works right now, but none of them have generated enough momentum to move ahead in a serious way.  And, given the uncertainty surrounding CCPA and its rollout in California, I think that many in Congress and other state legislatures are going to adopt a wait-and-see approach to understand the potential risks to implementing a broad privacy law like CCPA.  To be fair, CCPA does have some substantial structural and operational issues that may render its rollout a complicated affair.

Regardless of what happens in California, though, this Facebook investigation will ease some of the pressure on Congress to create a comprehensive privacy law, because it will appear that the FTC can handle enforcement of privacy matters in the US.  And up to a point, that is exactly right: the Commission is very adept at policing the outer boundaries of misconduct by companies that mislead or manipulate consumers, which is the agency’s remit under the FTC Act’s prohibition on “unfair or deceptive trade practices.”  That has been the backbone of FTC’s enforcement approach for two decades, and it’s why their enforcement actions are almost always related to some variety of mis/half/un-truth that could deceive or mislead consumers.  By heavily penalizing Facebook for not being direct with users about tracking, monitoring, or other forms of data collection, FTC essentially sends a message to Congress that “we’ve got this.”

The problem, in this instance, is that FTC’s mandate isn’t exactly conterminal with what a federal privacy law might cover.  In effect, it’s the difference between a negative law (“Companies shall not do X”) and a positive one (“People have the right to Y, and companies shall not violate that right by doing, among other things, X”).  If the federal approach to privacy is the former (as it is now, under the FTC Act), there will be policing, there will be fines, and there will be public announcements that bad data practices incur regulatory wrath.

But there won’t be the development of a separate, meaningful body of law about the right to privacy that individuals can vindicate outside of the consumer context, or outside of a deceptive act.  If Facebook’s monitoring activities were fully disclosed in a privacy policy, but you need to be a lawyer to understand it, is it really fair to say that they’ve obtained user consent?  Would it be any more fair to accuse Facebook of deception in that same scenario because, after all, the truth is there in the privacy policy, in black and white?  Without affirmative guarantees of more than mere “thou shalt not deceive consumers,” privacy law in this country will continue to miss the real issues: that there needs to be a difference between consumer law and privacy law, and that it is the persistent, unconsented monitoring of human behavior that presents the gravest risks to autonomy and freedom.

FTC is doing what their charter permits, and many will applaud whatever behemoth fine they impose on Facebook.  But their success may well prevent the very conversation this country needs to have about what privacy really means, and how to guarantee it.