AILSA CHANG, HOST:
Things are not getting any easier for Facebook as the tech giant continues to face questions about how the data of 50 million users got into unauthorized hands. Congress wants Facebook CEO Mark Zuckerberg himself to testify while the Federal Trade Commission continues to investigate whether the company violated a 2011 consent decree. Demands for the government to do something to protect user privacy raise the question, what might effective regulation of Facebook even look like? With us now to explore that question is Jessica Rich, the former head of the FTC's Bureau of Consumer Protection. Welcome.
JESSICA RICH: Hello, Ailsa.
CHANG: Jessica, you helped shape the FTC consent decree back in 2011, right?
RICH: I did.
CHANG: What went through your mind when you were first hearing these stories about what happened with Cambridge Analytica and Facebook?
RICH: Well, like many people, my reaction was are you kidding? The facts here of allowing third parties to have unfettered access to user data and not exercising the kind of care for Facebook users that they should were the exact same facts that drove us to take action against them in 2011 and that led to the order they're now under.
CHANG: And can you just remind us what those facts were that led to the 2011 order?
RICH: Well, it was pretty similar to the facts here. It was all about sharing data contrary to user expectations and preferences. They overrode consumers' preferences to make private information public, including your friends lists. They allowed third-party apps to access virtually everything. They claim to verify the security of third-party apps and they didn't. And they said they didn't share information with advertisers when they did.
CHANG: It's eerily familiar.
RICH: Eerily familiar. It's all about allowing third parties unrestricted access to user data contrary to user preferences and expectations.
CHANG: And the penalties for violating that 2011 consent decree, they're huge. It's $40,000...
RICH: Per violation.
CHANG: So if you multiply that across 50 million users, we're talking about billions of dollars, potentially, that Facebook faces in fines. Why would a number like that, billions of dollars of potential fines, not serve as enough of a deterrent for a company like Facebook?
RICH: I really can't answer that question. It must be lack of proper compliance procedures or literally a culture that is not one that really cares about its users.
CHANG: Do you think the FTC is well-equipped to regulate social media companies like Facebook and push them to better protect user privacy?
RICH: I think the FTC is very well-equipped to do enforcement on a case-by-case basis, which is what it did here. And I have every confidence that the enforcement division that oversees order compliance will get to the bottom of this.
CHANG: But is the FTC effectively enforcing if Facebook did indeed violate a consent decree from seven years ago?
RICH: The FTC can't be expected to know every detail of companies' actions all along the way when it is monitoring an order. If the FTC takes action here against Facebook for violating the order, it will be enforcing the order now that it has these facts in hand. And if it assesses huge penalties against Facebook, it will have made an example of Facebook. It will deter Facebook hopefully in the future. And it will be an effective action. What the FTC can't do is police the entire tech marketplace for violations. It does not have the resources to do that.
CHANG: OK. So because it doesn't have the resources to do that, what more broadly should be done?
RICH: What I would propose would be simple standardize information about company practices that allow consumers to easily compare companies. There needs to be a requirement that companies secure the data they collect. And there needs to be a strong enforcer and strong penalties for violations.
CHANG: Jessica Rich is the former head of the FTC's Bureau of Consumer Protection. She's now a vice president of advocacy at Consumer Reports. Thanks very much for joining us.
RICH: Thanks for having me, Ailsa.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.