“A drop in the bucket.” “A Christmas present five months early.” “So meaningless.” “A victory for Facebook.” “An embarrassing joke.” “Chump change.” “A thumbs down for consumers.” 

Politicians and pundits on Twitter over the weekend reacted viciously to reports that Facebook—represented by Gibson, Dunn & Crutcher—had reached a $5 billion settlement with the Federal Trade Commission for privacy violations.

Here's how Matt Stoller, a fellow at the Open Markets Institute, described, the deal: “The chair of the FTC gets on all fours so Mark Zuckerberg can sit down on a human bench. Zuck then gets a bib and eats ribs, wiping his hands on the two other commissioners who must act as human napkins.”

Is it really that bad? 

Yes and no. 

There's no question that the size of the fine—the biggest-ever by the federal government for privacy violations, the biggest-ever against a tech company for any wrongdoing—was significant. But at least in theory, it could have been worse. Like 1,000 times worse. Literally.

Jenna GreeneIn 2011, you might recall, the FTC and Facebook hammered out a 20-year consent decree to resolve a series of allegations that the social media giant violated Section 5 of the FTC Act, which bars unfair or deceptive conduct. 

For example, the FTC in 2011 said Facebook failed to reveal that third-party apps could access nearly all of users' personal data, and also falsely promised users that it would not share their personal information with advertisers, but did so nonetheless.

Without admitting wrongdoing, Facebook at the time agreed to mend its ways and never again do anything like, say, “misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information.”

But then, Facebook in 2018 admitted that as many as 87 million users had their personal information improperly shared with data firm Cambridge Analytica. Researcher Aleksandr Kogan allegedly created an app, “This Is Your Digital Life,” designed to collect data surreptitiously from people who took the quiz as well as their friends—information which was later sold and allegedly used by the Trump campaign, among others, to target voters.

The penalty for violating a final FTC order is $40,000 per violation per day. So … 87 million times $40,000 a day is $3,480,000,000,000. Per day.

In deciding how to calculate the penalty for violating an order, the FTC says it considers “(1) harm to the public; (2) benefit to the violator; (3) good or bad faith of the violator; (4) the violator's ability to pay; (5) deterrence of future violations by this violator and others; (6) vindication of the FTC's authority.”

How does that add up to a $5 billion fine for Facebook? It's hard to say, but one thing is certain—Facebook has the ability to pay more. As many commentators pointed out, the company's 1st quarter profit this year (before factoring in the penalty) was $5 billion. The fine “is barely a tap on the wrist, not even a slap,” said Senator Richard Blumenthal, D-Connecticut.

Moreover, Facebook's stock rose 1.8% on Friday after news broke of the deal, suggesting that the market agreed that the company came out on top.

So why let the company off the hook for $5 billion?

Perhaps because the case might not be as open-and-shut as it might appear.

In a little-noticed dissent, then-FTC commissioner Thomas Rosch flagged a potential loophole in the 2011 agreement.

“While I hope that the majority is correct in their assertion that the consent order covers the deceptive practices of Facebook as well as the applications ('apps') that run on the Facebook platform, it is not clear to me that it does,” wrote Rosch, who died in 2016. “In particular, I am concerned that the order may not unequivocally cover all representations made in the Facebook environment (while a user is 'on Facebook') relating to the deceptive information sharing practices of apps about which Facebook knows or should know.”

You can be sure Facebook's legal team from Gibson, Dunn & Crutcher was vigorously arguing that their client did not violate the order, and that the misconduct by Cambridge Analytica fell outside the scope of the consent decree.

So maybe $5 billion was actually a good settlement for the FTC? 

Here's the other thing: We still don't know the actual terms of the deal, just the reported dollar figure. And huge fines mainly serve to punish shareholders. (Granted, that means Mark Zuckerberg, but plenty of ordinary investors too.)

What's perhaps more important will be injunctive relief and non-monetary provisions to deter future wrongdoing—a corporate monitor perhaps? Audits or quarterly reports? Here's where the FTC under Chairman Joseph Simons, a former partner at Paul, Weiss, Rifkind, Wharton & Garrison, still has the chance to show its teeth.