Joseph Jerome, who left privacy advocacy to work on Meta’s augmented reality data policies for two years before being laid off in May, says he grew to appreciate how consent decrees force companies to work on privacy. They add “checks and balances,” he says. But without clear privacy protection rules from lawmakers that bind every company, the limited scope of consent decrees allows too many problematic decisions to be made, Jerome says. They end up providing a false sense of security to users who might think they have more bite than they really do. “They certainly haven’t fixed the privacy problem,” he says.
The FTC has sometimes strengthened consent decrees after privacy lapses. In the wake of Facebook’s Cambridge Analytica data-sharing scandal, in 2020 the agency agreed to stepped-up restrictions on the company and extended Meta’s original consent decree by about a decade, to 2040. In May this year, the FTC accused Meta of failing to cut off outside developer access to user data and protect children from strangers in Messenger Kids. As a remedy, the agency wants one of its judges to impose the most drastic restrictions ever sought in a privacy decree, spooking the broader business community. Meta is fighting the proposal, calling it an “obvious power grab” by an “illegitimate decision maker.”
There is more agreement between FTC officials, Meta, Google, and the wider tech industry that a federal privacy law is overdue. Proposals raised and debated by members of Congress would set a standard all companies have to follow, similar to US state and European Union privacy laws, with new rights for users and costly penalties for violators. “Consent decrees pale in comparison,” says Michel Protti, Meta’s chief privacy officer for product.
Some key lawmakers are on board. “The single best way to increase compliance for different business models and practices is by Congress enacting a comprehensive statute that establishes a clear set of rules for collecting, processing, and transferring Americans’ personal information,” says Republican Cathy McMorris Rodgers, the chair of the House committee that has studied potential legislation for years. Until she can rally enough fellow legislators, the privacy of every American on the internet is reliant on the few safeguards offered by consent decrees.
Innocence Lost
At the time Buzz launched in 2010, Google fostered a companywide culture of freewheeling experimentation in which just a couple of employees felt they could launch ideas to the world with few precautions, according to four workers who were there during that time. The search company’s idealistic founders Larry Page and Sergey Brin closely oversaw product decisions, and head count was one-eighth of the nearly 190,000 it is today. Many of the employees “were in a utopia of trying to make information accessible and free,” says Giles Douglas, who started at Google in 2005 as software engineer and left in 2019 as head of privacy review engineering.
During the earlier era, some former employees recall privacy practices as informal, with no dedicated team. Company spokesperson Matt Bryant says it’s not true that reviews were looser before, but both sides acknowledge that it wasn’t until the FTC settlement that Google started documenting its deliberations over privacy hazards and making a clear commitment to addressing them. “The Buzz decree forced Google to think more critically,” Douglas says.