While investors must be pleased that Facebook Inc.'s (FB) market cap increased by roughly $17.3 billion during the course of CEO Mark Zuckerberg's testimony before Congress this week, the social network still has possible penalties and actions by the Federal Trade Commission to worry about.
Marc Rotenberg, president of nonprofit research firm Electronic Privacy Information Center (EPIC), said that Zuckerberg's testimony showed Congress that Facebook did not comply with a 2011 consent decree from the FTC, which ordered the company to "[give] consumers clear and prominent notice and [obtain] consumers' express consent before their information is shared beyond the privacy settings they have established."
Despite concerns over Facebook's security and privacy issues, most users have not changed their privacy settings in the past four weeks, Facebook vice president of global marketing solutions Carolyn Everson said at The Wall Street Journal CEO Council in London on Thursday, April 12.
Facebook changed its website in 2009 so that private user information was made public without warning or approval. Along with other public interest organizations, EPIC filed the original 2009 FTC complaint that led to the investigation of and subsequent complaint against Facebook.
Rotenberg said that Zuckerberg was evasive when asked about the consent decree during his hearings, noting that he was not able to answer several questions from lawmakers about what was required by the FTC's order.
"That's very significant," said Rotenberg, who argued that Facebook's failure to make meaningful changes after the consent order and the FTC's failure to enforce the order made the Cambridge Analytica scandal possible in the first place.
"The FTC dropped the ball," he said. Rotenberg said that Facebook will likely not see "trillion of dollars in fines" but could face penalties of $100 million or so.
"From the user perspective, we're not looking for big financial penalties," he said. "We're looking for stronger user privacy protections." The FTC has also said it's specifically investigating Facebook's handling of the Cambridge Analytica data situation.
According to Rotenberg, Congress needs to update U.S. privacy laws, especially given Europe's new privacy rules, the General Data Protection Regulation, which go into effect in May.
During his testimony, Zuckerberg said that GDPR guidelines will be adopted by Facebook around the world, not just in Europe, once they're implemented. Rotenberg said that future regulation of the social media giant likely will revolve around competition and data privacy.
Andrew Burt, a former special adviser for policy to the head of the FBI Cyber Division, said that future regulation of internet companies such as Facebook likely will focus on what companies can and cannot do with user data, not just on what users consent to share with these ad-driven giants. Burt now serves as chief privacy officer at Immuta Inc., a data management company.
But Rotenberg said he thinks regulation won't necessarily impose higher costs.
"I'm optimistic about the prospect of privacy regulation," Rotenberg said. "I actually think it will stabilize business practices and build trust."
Sarah St. Vincent, a privacy and data researcher at Human Rights Watch, said that there should not have to be a trade-off between using internet services and trading away personal data.
"It should be possible [for these companies] to have a model that's not nontransparent and exploitative," St. Vincent said.
Facebook shares were down 1.4% to $164.02 during afternoon trading Thursday. Since the beginning of the year, the stock has dropped about 7.1%.