(Bloomberg Opinion) -- No one will ever feel sorry for Facebook Inc. Its history of deceptiveness, obfuscation and sheer blundering indiscretion has no modern peer. Even so, it’s fair to ask whether the Federal Trade Commission got it right this week by imposing a record-smashing $5 billion penalty on the company — and to wonder what this might portend for the rest of the tech business.
The payment resulted from a year-long probe into whether Facebook had misled its users about how it handles their personal information, in violation of a previous FTC order in 2012. In a press release, the commission said the deal would impose “unprecedented new restrictions on Facebook’s business operations” and “change Facebook’s entire privacy culture.”
Really?
In one way, the settlement was indeed strict. It levied the largest such penalty in the FTC’s history, established an independent privacy committee on Facebook’s board, created new oversight positions, demanded that executives certify their compliance every quarter, and insisted that the company conduct a privacy review of every new product. For good measure, the Securities and Exchange Commission added a $100 million imposition of its own.
And yet the deal creates no significant new limitations on how Facebook collects, stores or shares data. It will have little to no effect on the company’s advertising business. And all that added scrutiny and oversight? In practice, it’s likely to amount to some added paperwork and bureaucracy that a company of Facebook’s means can weather with ease. As for that headline-grabbing penalty, that's hardly going to hurt.
So why does Facebook always seem to get away with it? Not because of a “lack of will” on the FTC’s part, as lawmakers sometimes claim. It’s because by and large the company’s business practices are entirely legal. The U.S. has no comprehensive national privacy law; even imposing these latest penalties required the FTC to take an expansive interpretation of its own powers. Facebook does what it does because it can.
Congress professes to be unhappy with all this. Legislators of both parties have expressed operatic dismay that the FTC’s settlement didn’t go far enough. But there’s only one place to point the finger for this failure: Congress itself. This is a debate that must necessarily be handled by legislators, not farmed out to unelected regulators attempting to intuit popular sentiment or deduce congressional preferences.
Of course, there are good ways and bad ways to regulate privacy. But if Congress thinks that Facebook’s data practices are evil, it can outlaw them. If it thinks they’re merely abusive or excessive, it can rein them in. And if thinks that the consumer benefits of a free social-media service outweigh the drawbacks of Facebook’s misconduct, it can leave well enough alone.
What it shouldn’t do is express ambiguous dissatisfaction and then expect the technocrats to sort it out. That’s not just irresponsible. It could lead to a patchwork of quasi-legal precedents — stitched together fine by fine, company by company — that would only lead to confusion, uncertainty and court challenges down the road.
The right approach is for Congress to specify what behavior it thinks is objectionable, then codify a set of best practices and a system of certification — perhaps along with other incentives — for companies that comply. That would allow consumers to make informed choices about what services to use, and give companies clearer rules of the road.
This may be less satisfying than imposing billion-dollar penalties. But writing rules for the digital economy shouldn’t be outsourced. It’s a job for Congress.
Editorials are written by the Bloomberg Opinion editorial board.
©2019 Bloomberg L.P.