Case Study: The FTC and Big Tech: Consent Decrees and Their Limitations

"A consent decree is supposed to be the beginning of reform. In practice, it is often the end of accountability." — Rohit Chopra, FTC Commissioner (dissent in Facebook settlement, 2019)

Overview

In the absence of a comprehensive federal privacy law, the Federal Trade Commission has served as the United States' primary data privacy enforcer for over two decades. Its tool of choice: the consent decree — a negotiated settlement in which a company agrees to specific obligations without admitting wrongdoing. Since 2000, the FTC has entered into consent decrees with hundreds of companies for data privacy violations, ranging from small data brokers to the world's largest technology platforms.

This case study examines the FTC's consent decree model as an enforcement mechanism — its design, its application to major technology companies, its achievements, and its fundamental limitations.

Skills Applied: - Analyzing the consent decree as an enforcement mechanism - Evaluating whether negotiated settlements achieve accountability - Comparing US and EU enforcement approaches - Assessing the adequacy of general consumer protection authority for data privacy

How It Works

A typical FTC data privacy enforcement action proceeds as follows:

  1. Investigation: The FTC identifies a potential violation, usually through a consumer complaint, media report, or the FTC's own monitoring.
  2. Complaint: The FTC files an administrative complaint or a federal court complaint alleging that the company's data practices constitute "unfair or deceptive acts or practices" under Section 5 of the FTC Act.
  3. Negotiation: In most cases, the company negotiates a settlement rather than litigating. The settlement takes the form of a consent decree (or "consent order").
  4. Terms: The consent decree typically includes: (a) a prohibition on the deceptive or unfair practices identified, (b) affirmative obligations (implementing a privacy program, conducting third-party assessments), (c) reporting requirements, and (d) sometimes a monetary penalty.
  5. Duration: Consent decrees typically last 20 years.
  6. Enforcement: If the company violates the decree, the FTC can seek contempt sanctions, including per-violation penalties.

The No-Admission Clause

A critical feature of FTC consent decrees is that companies do not admit wrongdoing. The consent decree is "for settlement purposes only" — the company agrees to comply with specified obligations but does not concede that it violated the law. This has significant implications: the company faces no legal finding of liability, the decree cannot be used as evidence in private litigation, and the company's reputation is partially shielded by the absence of an admission.

Landmark Cases

Facebook/Meta (2012 and 2019)

The 2012 Decree: The FTC's first consent decree with Facebook followed an investigation into the company's privacy practices. The FTC found that Facebook had: made privacy representations to users that it did not honor; changed privacy settings without adequate notice; and shared user information with third-party apps in ways that contradicted its privacy policy. The 2012 decree required Facebook to: not misrepresent its privacy practices; obtain express consent before sharing data beyond a user's privacy settings; implement a comprehensive privacy program; and submit to biennial third-party privacy assessments for 20 years.

The 2019 Settlement: Seven years later, the FTC determined that Facebook had violated the 2012 consent decree — primarily through the Cambridge Analytica scandal, in which a third-party app harvested data from 87 million Facebook users and shared it with a political consulting firm. The 2019 settlement included:

  • $5 billion penalty: The largest privacy-related penalty in FTC history, and the largest penalty the FTC had ever imposed for any violation.
  • Structural requirements: A new privacy committee on Facebook's board of directors; a designated compliance officer; CEO certification of privacy compliance (making Mark Zuckerberg personally liable for misrepresentations).
  • Enhanced oversight: Quarterly privacy impact assessments, annual third-party audits, and FTC review of new products and services.

The Dissent: Two of the five FTC commissioners voted against the settlement. Commissioner Rohit Chopra argued that the $5 billion penalty — while large in absolute terms — represented approximately one month of Facebook's annual revenue and would not deter future violations. He further argued that the settlement failed to impose personal liability on senior executives (the CEO certification requirement was criticized as largely symbolic), did not require changes to Facebook's fundamental business model (data-driven advertising), and resolved the case without a judicial finding of liability.

Google/YouTube (2019)

The FTC and the New York Attorney General imposed a $170 million settlement on Google for YouTube's violations of COPPA — collecting personal information from children under 13 without parental consent. YouTube knew that children used the platform (internal communications showed employees discussing their child audience) but treated all users as adults for data collection and advertising purposes.

The settlement required YouTube to: develop a system for identifying child-directed content; obtain verifiable parental consent before collecting data from children watching child-directed content; and disable personalized advertising on child-directed videos. The settlement was criticized by children's privacy advocates as insufficient — $170 million represented days of YouTube's advertising revenue.

Epic Games/Fortnite (2022)

The FTC imposed a combined $520 million penalty on Epic Games (maker of Fortnite) for COPPA violations and the use of dark patterns. The FTC found that: Fortnite collected personal data from children without parental consent; the game's default settings enabled voice and text chat with strangers, exposing children to harassment; and Epic used dark patterns (confusing interfaces, accidental charges) that led to unauthorized purchases.

The settlement was notable for the FTC's explicit focus on dark patterns — marking a shift toward addressing design-level manipulation, not just data collection practices.

Amazon (2023)

The FTC imposed a $25 million penalty on Amazon for Alexa's retention of children's voice recordings. Amazon had promised parents that they could delete children's voice data from Alexa but retained transcripts of voice interactions even after parents requested deletion. The FTC found this practice both deceptive (misrepresenting deletion capabilities) and unfair (retaining children's data against parents' wishes).

Arguments for Effectiveness

Behavioral baselines. Consent decrees establish specific behavioral requirements that companies must follow for 20 years, creating enforceable minimum standards. The obligations — privacy programs, third-party assessments, CEO certifications — create institutional infrastructure that did not previously exist.

Escalating consequences. The progression from a non-monetary decree (Facebook 2012) to a $5 billion penalty (Facebook 2019) demonstrates that repeated violations produce escalating consequences. The threat of even larger penalties for future violations creates ongoing deterrence.

Precedential effect. FTC enforcement actions, even without formal legal precedent (since cases are settled rather than adjudicated), establish norms that other companies observe. When the FTC takes action against dark patterns or COPPA violations, the entire industry adjusts.

Flexibility. Consent decrees can be tailored to the specific practices and circumstances of each company, allowing the FTC to craft remedies that address root causes rather than imposing one-size-fits-all penalties.

Arguments Against Effectiveness

The cost-of-doing-business problem. For the largest technology companies, even billion-dollar penalties represent a small fraction of revenue. Facebook's $5 billion fine was approximately 9% of its 2018 revenue — significant but manageable. If the practices that generated the fine produced more revenue than the fine itself, the decree incentivizes violation-then-settlement rather than compliance.

No admission of wrongdoing. Without admitting liability, companies preserve their public narrative. Facebook characterized the $5 billion settlement as a "forward-looking" agreement, not a punishment for past violations. This framing undermines the settlement's deterrent and accountability functions.

Structural limitations. Consent decrees modify behavior within the existing business model. They do not — and arguably cannot — require fundamental business model changes. The FTC can prohibit deceptive practices and require privacy programs, but it cannot order Facebook to stop using personal data for advertising or order YouTube to stop collecting data for recommendations. The practices that generate the most significant privacy harms are often core to the company's business.

Monitoring capacity. The FTC lacks the resources to monitor consent decree compliance in real time. Third-party assessments (required by most decrees) are valuable but periodic, and assessors are typically hired by the company they are assessing — creating a structural conflict of interest. Between assessments, compliance depends largely on the company's good faith.

The 20-year horizon. Consent decrees last 20 years, but technology evolves far faster. A decree written in 2019 addresses the privacy practices of 2019; by 2029, the technology landscape will have changed fundamentally. The decree's specific prohibitions may become irrelevant while new, uncontemplated practices create new harms.

Comparison to EU Enforcement

The FTC's consent decree model and the GDPR's enforcement model represent fundamentally different approaches:

Dimension FTC Consent Decrees GDPR Enforcement
Legal basis General consumer protection (Section 5) Dedicated data protection regulation
Enforcement body Single federal agency (+ state AGs) 30+ independent DPAs
Process Negotiated settlement, no admission Administrative finding, appealable
Penalties No statutory cap (but historically moderate relative to revenue) Up to 4% of global annual turnover
Structural remedies Detailed behavioral requirements, monitoring Corrective orders, processing bans
Individual rights No individual complaint mechanism through FTC GDPR grants individual right to complain to DPA
Deterrence Escalating consequences for repeat violations Proportionality-based fine calculation

Each model has strengths the other lacks. The FTC's flexibility allows tailored remedies. The GDPR's DPA network provides broader coverage. The FTC's consent decree model enables faster resolution (avoiding years of litigation). The GDPR's fine calculations create at least the potential for proportionate penalties. Neither has solved the fundamental challenge of holding global technology companies accountable for practices that generate enormous revenue.

Discussion Questions

  1. Commissioner Chopra argued that the $5 billion Facebook settlement was insufficient. What penalty would have been sufficient? Is there a level of monetary penalty that can genuinely deter a company with $86 billion in annual revenue?

  2. The consent decree model does not require companies to admit wrongdoing. Is this a necessary compromise to achieve settlements, or does it fundamentally undermine accountability? Would enforcement be more effective if the FTC litigated cases to judgment rather than settling?

  3. FTC enforcement focuses on deceptive and unfair practices — but many controversial data practices are neither deceptive (they are disclosed in privacy policies) nor unfair under the FTC's specific legal test. Does Section 5 authority provide an adequate basis for data privacy enforcement, or is a dedicated federal privacy law necessary?

  4. The FTC's enforcement resources are limited relative to the scope of the data economy. How should the FTC prioritize its enforcement actions? Should it focus on the largest companies (maximum impact per case), industry-wide practices (setting norms through representative cases), or the most harmful specific practices (targeting the worst actors regardless of size)?

Your Turn: Mini-Project

Option A: Read the FTC's complaint and consent decree in one of the cases discussed in this study. Write a 1,000-word analysis of: (a) the alleged violations, (b) the decree's requirements, (c) whether the requirements address the root causes of the violations, and (d) how you would strengthen the decree.

Option B: Research three FTC enforcement actions not covered in this case study. For each, identify the company, the violation, the remedy, and the outcome. Write a comparative analysis of enforcement patterns.

Option C: Draft a proposal for reforming FTC data privacy enforcement. Address: (a) should the FTC have rulemaking authority for data privacy? (b) should consent decrees require admission of wrongdoing? (c) should penalties be pegged to revenue? (d) should the FTC be given additional resources dedicated to data privacy?

References

  • Federal Trade Commission. "In the Matter of Facebook, Inc." Docket No. C-4365 (2012); revised order (2019).

  • Chopra, Rohit. "Dissenting Statement of Commissioner Rohit Chopra." In the Matter of Facebook, Inc. July 24, 2019.

  • Federal Trade Commission. "FTC Takes Action Against Companies and CEO for Failures to Protect Children's Privacy." Press release (Epic Games), December 2022.

  • Hoofnagle, Chris Jay. Federal Trade Commission Privacy Law and Policy. Cambridge: Cambridge University Press, 2016.

  • Solove, Daniel J., and Woodrow Hartzog. "The FTC and the New Common Law of Privacy." Columbia Law Review 114, no. 3 (2014): 583–676.

  • Ohlhausen, Maureen K. "Privacy Lessons from the FTC." Emory Law Journal 71 (2022).

  • Khan, Lina. "The New Brandeis Movement: America's Antimonopoly Debate." Journal of European Competition Law & Practice 9, no. 3 (2018): 131–132.