The Pill Mills of the Fortune 500

The downfall of Purdue Pharma illustrated the role played by drugmakers in the opioid crisis. Large settlements paid by the likes of McKesson and AmerisourceBergen highlighted the culpability of the major drug wholesalers. Now more attention is being paid to the other players in the corrupt supply chain: pharmacies.

The assumption used to be that the main retail culprits were small pharmacies in places such as West Virginia that readily filled far more oxycontin prescriptions than would be expected to arise from legitimate use in their communities. Those businesses, like the unscrupulous clinics that wrote the prescriptions, are often called pill mills.

A decision just handed down by a federal court in San Francisco indicates that our understanding of that phrase needs to be revised. Following a bench trial, U.S. District Judge Charles Breyer ruled that the giant pharmacy chain Walgreens improperly dispensed hundreds of thousands of suspicious prescriptions for narcotic painkillers in the Bay Area over more than a decade.

“In exchange for the privilege of distributing and dispensing prescription opioids,” Judge Breyer wrote, “Walgreens has regulatory obligations to take reasonable steps to prevent the drugs from being diverted and harming the public. The evidence at trial established that Walgreens breached these obligations.”

Those regulatory obligations come from the Controlled Substances Act (CSA), a federal law which regulates the distribution of drugs ranging from Xanax to fentanyl. As shown in Violation Tracker, the U.S. Justice Department and the Drug Enforcement Administration have brought about two dozen successful CSA actions against large pharmacy chains, including those operated by the big supermarket companies.

In 2013 Walgreens had to pay $80 million to resolve a DEA case involving what the agency called “an unprecedented number of record-keeping and dispensing violations.” CVS, another pharmacy goliath, has paid out over $130 million in a dozen CSA cases.

These amounts are likely to be dwarfed by the damages against Walgreens in the San Francisco case, which have yet to be determined. Walgreens and CVS, along with Walmart, are also embroiled in an opioid test case brought by two counties in Ohio. The plaintiffs are seeking a payout of several billion dollars to help pay for addiction services.

If those Ohio counties are successful, it would give a green light to several thousand other cases that have been filed around the country and are being treated as a multidistrict action. On top of that, Walgreens, CVS and Walmart are facing a slew of opioid cases brought by the Cherokee Nation and other tribes.

It is unlikely that Walgreens or CVS will suffer the same fate as Purdue Pharma, which had to file for bankruptcy and agree to turn itself into a public benefit company while its owners, the Sackler Family, had to promise to pay out billions. CVS, which generated nearly $8 billion in profits last year, is particularly well positioned to handle the massive settlements to come.

The real question is whether it and Walgreens will own up to their misconduct and get serious about complying with their obligations to prevent opioid abuse.

Another Crooked Bank

When one large corporation is found to be breaking the law in a particular way, there is a good chance that its competitors are doing the same thing. The latest evidence of this comes in an announcement by the Consumer Financial Protection Bureau concerning U.S. Bank.

The CFPB fined the bank $37.5 million for illegally accessing credit reports and opening checking and savings accounts, credit cards, and lines of credit without customers’ permission. U.S. Bank employees were said to have done this in response to management pressure to sell more financial products and thus generate more fee revenue.

If this sounds familiar, it is exactly what came to light in 2016 regarding Wells Fargo, which was initially fined $100 million by the CFPB for the fraudulent practice and subsequently faced a wave of other legal entanglements, including a case brought by the U.S. Justice Department in which Wells had to pay $3 billion to resolve civil and criminal charges.

The U.S. Bank case has not yet generated the tsunami of outrage that accompanied the revelations about the phony accounts at Wells. Perhaps that is because it is the middle of the summer. Yet chances are that the CFPB’s enforcement action will not be the only punishment the bank will face.

U.S. Bank’s practices were no less egregious than those of Wells. According to the CFPB, the management of the bank, which currently has more than half a trillion dollars in assets, was aware for more than a decade that its employees were creating fictitious accounts.

And like Wells, U.S. Bancorp has a long history of questionable behavior. Violation Tracker documents more than $1.2 billion in penalties from 40 cases dating back to 2000. Half of the total comes from offenses involving serious deficiencies in anti-money-laundering practices, including a 2018 case in which the bank had to pay $453 million to settle criminal charges brought by the U.S. Justice Department plus another $75 million to the Office of the Comptroller of the Currency to resolve civil allegations.

In 2014 U.S. Bank had to pay $200 million to settle allegations that it violated the False Claims Act by knowingly originating and underwriting mortgage loans insured by the Federal Housing Administration that did not meet applicable requirements. The bank also had a previous run-in with the CFPB, which penalized it $53 million in 2014 for unfairly charging customers for credit identity protection and credit monitoring services they did not receive.

It is likely that U.S. Bank’s penalty total will rise substantially through additional cases prompted by the CFPB’s latest allegations, which include accusations the bank violated not only the Consumer Financial Protection Act but also the Fair Credit Reporting Act, the Truth in Lending Act, and the Truth in Savings Act.

Apart from monetary penalties, U.S. Bank may face an additional form of punishment applied to Wells: in 2018 the Federal Reserve restricted the growth of the firm until it cleaned up its practices and improved its governance. Since fines have proven to be a weak deterrent against corrupt practices at major financial institutions, more aggressive measures provide the only hope of bringing the big banks under control.

Parent Company Makeovers?

The addition of historical parent data to Violation Tracker, including a list of the most penalized corporations based on that data, may have led some p.r. executives to hope that their employer would look better on the new tally. Many of them will end up disappointed.

In last week’s Dirt Diggers, I compared the 100 most penalized current parents to the 100 most penalized historical parents and found limited differences. This week I expand the focus to the top 1,000.  

Among that larger group, nearly half have penalty totals based on historical parent-subsidy linkages that are lower than their totals based on current ownership relationships.

Yet the median difference for those with lower historical totals is just $14 million. Only 34 of the 1,000 companies ended up with zero penalties using the historical basis; another 33 ended up with totals below $1 million. The biggest beneficiary of the different approach is Viatris, almost all of whose $1 billion in penalties based on current linkages were incurred by Mylan and Upjohn before they merged in 2020 to form the new company.

Other parents that look good when switching from current to historical linkages include: Equitable Holdings, whose big penalties occurred when it was owned by AXA, and Daimler Truck, just about all of whose penalties date from the period when it was still part of Daimler AG, now known as Mercedes-Benz Group.

Among the 1,000 most penalized current parents there are more than 400 whose historical total is exactly the same, reflecting the fact that they neither acquired nor spun off penalized subsidiaries. Those in this group with the largest penalty amounts are Deutsche Bank, Purdue Pharma, GlaxoSmithKline, Toyota, Allianz, PG&E, and Barclays. The median penalty total for all the zero-difference parents in the top 1000 list is $59 million.

Sixty-seven of the top 1,000 parents look worse when switching from the current to the historical basis. That is because they divested a heavily penalized subsidiary. Those with the biggest penalty differences include: Abbott Laboratories, which spun off AbbVie with its $1.5 billion in penalties; AXA, which spun off Equitable and its $651 million in penalties; and Daiichi Sankyo, which sold Ranbaxy USA, which had accumulated more than $500 million in penalties.

Another 11 companies—such as BP, which sold its heavily penalized operations in Texas City, Texas to Marathon Petroleum, and General Electric, which has been downsizing in numerous sectors—have historical penalty totals at least $100 million lower than their current totals. Yet all of those still end up with historical totals of more than $300 million, and in four cases—BP, Johnson & Johnson, GE and Boehringer Ingelheim—the amount is above $1 billion.

The upshot of all this is that switching the focus from current to historical parent linkages does not show a dramatic difference in the misconduct track record of most large companies. While the new data may not help much for company makeovers, I hope it will prove useful for those taking a critical look at corporate behavior.

Note: the historical parent data now in Violation Tracker is accessible only to those who purchase a subscription. Searching and displaying the other data remain free of charge.

Violation Tracker’s New Track

Since Violation Tracker was introduced in 2015, my colleagues and I at the Corporate Research Project have put a lot of effort into identifying the ultimate parent companies of the firms named in the many thousands of individual enforcement records we collect. This has allowed us to show which of those parents have the highest penalty totals linked to their current line-up of divisions and subsidiaries. That dubious distinction has been achieved by the likes of Bank of America, BP and Volkswagen.

Some of the corporations on this list have complained it is unfair to link them to penalties incurred by subsidiaries before they were acquired. We have taken the position that when a company is purchased, the acquirer is in effect buying that entity’s track record. We have thus felt comfortable attributing those past bad acts to the current owners.

Nonetheless, we recognize that Violation Tracker users may want to distinguish between penalties received while the entity has been linked to the current owner and those that occurred before. We thus undertook the task of reconstructing the ownership history of the entities named in the 106,000 entries in Violation Tracker that are linked to one of the more than 3,000 parents for which we aggregate data.

That project is now complete, and the historical data has been incorporated in a newly redesigned Violation Tracker—both in the individual entries and in a list showing the 100 parents with the largest penalty totals based on ownership linkages at the time each penalty was announced.

Before I reveal more about that list, I must report that the cost of this project and the ongoing expenses associated with a very labor-intensive resource compelled us to begin requiring users to purchase a subscription in order to access certain features of the site. Those features include the parent history data and the ability to download search results. Searching and displaying search results (without the historical data) remain free of charge. More details of the subscription system can be found here.

The expanded entries visible to subscribers show the parent at the time of the penalty and the current parent. If the two are different, there is a field summarizing the ownership changes that occurred. For example, an entry on a penalty paid in 2002 by the trucking company Overnite Transportation now notes that its parent at the time was Union Pacific. A new history recap field states: “In 2003 Union Pacific spun off Overnite. In 2005 the company was acquired by United Parcel Service, which sold it to TFI International [the current parent] in 2021.” In addition to accessing such information in individual entries, subscribers can search by historical parent name in the Advanced Search section.

Returning to the list of most penalized parents based on historical ownership linkages, the first finding is that it contains many of the same corporations as the list based on current linkages. In fact, the same name is at the top of both lists: Bank of America. The only difference is that BofA’s historical penalty total–$79 billion—is lower than its total on the current list: $83 billion. That mainly reflects the subtraction of the penalties incurred by Merrill Lynch and Countrywide before they were acquired by BofA amid the financial crisis of 2008.

JPMorgan Chase, number two on the current list, drops to third place on the historical list because of the elimination of penalties related to its big 2008 acquisitions: Washington Mutual and Bear, Stearns. BP rises from third to second. Otherwise, the corporations in the top ten and their rankings are identical in the two lists. The others in that group are: Volkswagen, Citigroup, Wells Fargo, Deutsche Bank, UBS, Goldman Sachs, and Johnson & Johnson. Their penalty totals range from $14 billion to $25 billion on both lists.

Expanding the focus to the full list of the top 100 yields similar results. Eighty-four of the 100 most penalized current parents are also on the list of the 100 most penalized historical parents. Of the remaining 16, four fall slightly above 100 in the historical ranking. The other dozen are parents which, like Bank of America and JPMorgan Chase, bought or merged with other companies with substantial penalty histories.

For example, when Occidental Petroleum bought Anadarko Petroleum in 2019, it took on a business that had earlier been involved in a $5 billion settlement with the Justice Department. Apart from Anadarko, Occidental has accumulated $218 million in penalties.

Among the 16 companies on the historical top 100, but not the current list, is Abbott Laboratories. It gets eliminated from the current list because of its 2013 spinoff of AbbVie, which included businesses with more than $1.5 billion in previous penalties. Without AbbVie, Abbott still has penalties of $785 million.

Any parent company with ownership changes involving businesses with substantial penalty records is going to rank differently on the current and historical lists. Yet these differences do not change the fact that most large corporations have abysmal compliance records no matter how we add up their penalties.

The Regulation Bashers

Uber Technologies, a company which already had a less than sterling reputation, now has to contend with more blemishes on its record, thanks to a massive leak of internal documents to the International Consortium of Investigative Journalists.

Using what has been dubbed the Uber Files, ICIJ and partner media outlets such as The Guardian and The Washington Post have published a flurry of articles describing how the company, during a period when cofounder Travis Kalanick was still CEO, used a variety of aggressive techniques to fight regulators as it sought to conquer the tax industry around the world. At the same time, the company ingratiated itself with numerous world leaders to help in its expansion. Some Uber executives liked to refer to themselves as “pirates.”

While many of the details are fascinating, the main revelations in the Uber Files are far from surprising. The company was already known for ruthless tactics. In the United States alone, Uber has racked up more than $300 million in fines and penalties. About half of that total comes from a single settlement with a group of states which alleged that it tried to cover up a data breach affecting over 50 million customers.

Uber paid $20 million to resolve Federal Trade Commission allegations that it misled prospective drivers with exaggerated claims about earnings potential and about the availability of vehicle financing. It paid $10 million to Los Angeles and San Francisco counties (another $15 million was suspended) in settlement of allegations it misled customers about the background checks it carried out on its drivers. It was fined numerous times by state regulators for operating without proper authority or for failing to comply with reporting requirements.

It is clear that Uber, especially during the Kalanick era, has regarded regulation with contempt. One cannot help but suspect that the company’s name is meant to portray it not only as being above its competitors but also above the oversight of governments.

While Uber has been quite brazen in its hostility toward regulation, that opposition is hardly unusual. The Uber Files are appearing not long after the rightwingers of the U.S. Supreme Court handed down a ruling that not only blocked the Biden Administration’s effort to limit greenhouse gas emissions but may also lead to the dismantling of many other forms of government oversight of business.

There is now growing concern that the Court could revive rulings such as the 1905 Lochner decision which struck down a New York law that prohibited employers from imposing excessive working hours. Lochner held sway for several decades until giving way to the labor protections adopted during the New Deal era.

It is not hyperbole to suggest that the Court wants to bring back an economy that resembles the laissez-faire system of the 19th Century. That is, after all, an implication of the originalism the rightwing Justices claim to espouse. If Roe has to be overturned because the Constitution says nothing about abortion, then don’t laws about fair labor standards or product safety also have to fall because the founders did not address those issues either?

It may be that the bigger threat comes not from business executives pretending to be pirates but from extremists in black robes laying waste to essential government safeguards.

Corrupt Watchdogs

At first glance it seemed to be a satirical piece from The Onion. The Securities and Exchange Commission issued a press release announcing that Big Four accounting firm Ernst & Young was being fined $100 million for failing to prevent its audit professionals from cheating on ethics exams required to obtain and maintain their CPA licenses.

Not only did EY exercise poor oversight over its employees—it also tried to withhold evidence of the misconduct from agency investigators. This prompted the SEC to impose the largest fine ever against an audit firm.

The SEC’s release quoted Enforcement Division Director Gurbir Grewal as saying “it’s simply outrageous that the very professionals responsible for catching cheating by clients cheated on ethics exams, of all things,” adding: “And it’s equally shocking that Ernst & Young hindered our investigation of this misconduct.”

Yes, it’s shocking, shocking in a Casablanca sort of way to learn that EY management is apparently as corrupt as its auditors. The SEC failed to mention that EY has a long track record of misconduct. Even before this latest case, it has racked up more than $350 million in fines and settlements since 2000, as documented in Violation Tracker.

In 2013, for instance, EY paid $123 million to resolve allegations that it promoted a tax shelter scheme to clients that was so dodgy that the IRS asked the Justice Department to bring criminal charges against the firm. In 2009 EY paid $109 million to the Michigan Attorney General to settle allegations that it failed to expose accounting fraud in its audits of HealthSouth Corporation.

The SEC itself fined EY eight previous times in the past two decades, including a case last year in which the firm paid $10 million to settle allegations it violated auditor independence rules.

EY is not the only member of the Big Four with a checkered record—they are all tainted. As shown in Violation Tracker, PricewaterhouseCoopers has accumulated $114 million in penalties, Deloitte has $260 million and KPMG a whopping $560 million.

A big portion of the KPMG total came from a 2005 case in which it paid $456 million to resolve criminal charges that it designed and marketed fraudulent tax shelters. It has paid penalties to the SEC nine times since 2000—including a $50 million fine involving the same kind of cheating found at EY.

Given the ineffective deterrent effects of monetary penalties and criminal charges resolved through non-prosecution and deferred prosecution agreements, one might ask whether there is any way to eliminate corruption among the big auditing firms.

The 2002 Sarbanes-Oxley Act created a federal entity called the Public Company Accounting Oversight Board, which is supposed to keep auditing firms on the straight and narrow. It has brought more than 100 cases against the Big Four and smaller firms, yet auditing scandals continue to happen.

There is a need to find ways to end the stranglehold the Big Four have on providing auditing services for large corporations. This could include reforms such as stricter requirements for companies to rotate the firms they use. New reforms adopted in the UK will require large corporations to use smaller firms for at least a portion of their auditing.

A bolder approach could involve the creation of non-profit auditing agencies with more rigorous independence rules to prevent them from being influenced by unscrupulous clients. These and other reforms are urgently needed to end a system in which auditors who are supposed to ferret out corruption instead end up facilitating it.

Note: Just before the EY case was announced, Violation Tracker posted its latest quarterly update with about 10,000 new federal, state and local regulatory enforcement actions and class action lawsuits. This brought the total number of entries to 522,000 and total penalties to $804 billion. The EY case will be added soon.

ESG Besieged

Things have been rough lately for those high-minded asset management services promoting ESG investment practices. The Right is dragging ethical investment into its culture war, accusing the ESG world of promoting “woke capitalism.” In a recent op-ed in the Wall Street Journal, former Vice President Mike Pence went so far as to state that “the next Republican president and GOP Congress should work to end the use of ESG principles nationwide.”

Unfortunately, the ESG world has left itself vulnerable to such attacks. Its criteria for deciding which corporations deserve a seal of approval are often less than rigorous and may be based on unverified data produced by the companies themselves.

The problems of ESG have reached the point that the Securities and Exchange Commission recently proposed rules that would impose stricter disclosure standards on ethical investment funds and require them to meet somewhat stricter criteria in order to use ESG or related terms in the name of the fund.

Yet perhaps the biggest embarrassment for the ESG world just occurred in Germany, where dozens of agents from the Frankfurt public prosecutor’s office and the financial regulatory agency BaFin raided the offices of Deutsche Bank and its asset management subsidiary DWS. In the wake of that action, the chief executive of DWS resigned.

The investigators were reported to be seeking evidence that DWS defrauded clients by exaggerating the extent to which its green investment products were actually based on sustainable practices. In other words, the Deutsche Bank subsidiary appears to be under criminal investigation for engaging in greenwashing. The case is said to be related to a probe that the SEC has reportedly been conducting of the matter—though without any dramatic raids.

Without pre-judging the outcome of the investigation, I find it difficult to believe that DWS is innocent. After all, it is part of a corporation with a long history of engaging in misconduct. As shown in Violation Tracker, it has racked up more than $18 billion in fines and settlements for cases involving the sale of toxic securities, manipulation of interest rate benchmarks, promotion of fraudulent tax shelters, violations of anti-money-laundering laws, foreign bribery, and more. This is all on top of Deutsche Bank’s questionable business dealings with Donald Trump and Jeffrey Epstein.

I’ve always found it odd that a bank with a reputation such as this could put itself forth as a practitioner of ethical investing. Yet that is a big part of the problem with ESG. Rap sheets such as that of Deutsche Bank are often ignored, and companies are deemed worthy based on some specific practice that is far from representative of its overall behavior.

The Deutsche Bank case is not the only example of an ESG investment adviser being held to account. Recently, the SEC charged BNY Mellon Investment Adviser for misstatements and omissions concerning the ESG criteria used in some of its mutual funds. The company agreed to pay $1.5 million to resolve the matter.

Cases such as these signal that the ethical investing world is going to have to get a lot more ethical—and rigorous—if it is going to survive.

The Biden Administration’s First Corporate Crime Mega-Case

Observers of the corporate crime scene have been waiting to see when the regulators and prosecutors of the Biden Administration would announce a mega-case of the sort that had largely disappeared during the lackluster enforcement period of the Trump years. That case has arrived, and the target is not exactly a household name in the United States: the German financial services corporation Allianz.

The Justice Department and the Securities and Exchange Commission have announced that Allianz and its investment management arm, Allianz Global Investors (AGI), will pay more than $6 billion to resolve criminal and civil allegations relating to what the SEC called a “massive fraudulent scheme.” The victims of that scheme included public employees participating in pension funds that were misled about the riskiness of complex financial products marketed by AGI. The true extent of the risk became evident during the COVID-related market volatility of 2020, when the pension funds and other investors suffered catastrophic losses.

The $6 billion settlement ranks among the 20 largest penalties recorded in Violation Tracker for the period since January 2000. More than half of those cases involve financial services corporations.

Allianz, whose Violation Tracker penalty total until now was $182 million, joins the 30 banks and other financial services companies that have each paid more than $1 billion in aggregate penalties. These include 13 European banks, among which are two from Germany: Deutsche Bank and Commerzbank.

There are a couple of encouraging aspects of the AGI case that go beyond the substantial monetary penalty. First, the SEC announced that AGI, because of its guilty plea in the DOJ case, will be disqualified from providing advisory services to US-registered investment funds for the next ten years, and will exit the business of conducting these fund services.  This contrasts with other cases in which financial services companies have avoided these sorts of consequences in criminal cases by arranging for the guilty plea to be submitted by a minor subsidiary—or by getting a waiver.

In addition, criminal charges were brought not only against the company but also against several individuals, including Gregoire Tournant, the chief investment officer of AGI. Tournant was charged with securities fraud and investment fraud as well as obstruction of justice. The latter related to allegations that Tournant and the other defendants made multiple, ultimately unsuccessful, efforts to conceal their misconduct from the SEC, including, the agency stated, “false testimony and meetings in vacant construction sites to discuss sending their assets overseas.”

The charges against Allianz were all the more appropriate in that the company’s U.S. operations have been involved in several other investor deception cases. For example, in 2004, three of its subsidiaries were fined $50 million by the SEC. Another subsidiary paid $18 million to settle a case with the New Jersey Attorney General. Yet another unit was fined $5 million by the industry regulator FINRA. Allianz’s U.S. insurance subsidiaries have also been fined numerous times by state regulators.

Let’s hope that the Allianz matter is a sign that the Biden Administration is serious about cracking down on corporate crime and that recidivists will be made to pay a significant price for their ongoing transgressions.

A New Kind of Corporate Watchdog

Large companies prone to misconduct usually have to contend with three main kinds of watchdogs: government regulators and prosecutors, class action lawyers, and activist institutional investors. These parties have, respectively, the ability to impose fines, extract settlements, and bring about policy changes through shareholder resolutions.

Now it turns out that corporations are increasingly being scrutinized in another way. According to a recent article in Law360, insurance companies are paying more attention to business conduct. This is especially the case for ESG (environmental, social and governance) practices that big firms tout as evidence that they are good corporate citizens.

Underwriters providing coverage for liability claims against directors and officers are taking a more aggressive posture in two respects. First, they want to be sure any company they insure is not behaving in a way that could hurt the financial situation of the firm or damage its reputation, either of which could lead to costly shareholder lawsuits. Second, they are taking a closer look at the ESG reporting of the companies to see whether it is accurate.

Since corporations have to stay in the good graces of their insurers if they want to maintain their coverage, this trend toward stricter risk management could have significant positive consequences. For too long, insurers took a passive position toward questionable corporate conduct. They covered claims without doing much to get clients to change that behavior.

It is especially significant that more insurers are no longer taking the statements of firms at face value. The Law360 article quotes an official at insurance broker AON as saying that when it comes to ESG, “some companies just checked the box and said they have a policy in place, but that was never implemented.”

This gets to the heart of the problem with ESG policies: they are voluntary and largely unenforceable, while outcomes are often unverifiable. This makes them attractive to corporations: they can make grandiose claims about the good they are doing, and outsiders have to take their word for it.

Insurers have come to realize, Law360 reports, that “underlying litigation risk and uncertainty will continue to grow in the absence of clear definitions and common standards and regulations applicable to ESG.”

It remains to be seen whether insurers can get companies to establish clearer definitions. It may be that ESG is inherently fuzzy and that serious standards can only come from government regulators. Yet the new posture of the insurers could help discourage the most unsubstantiated ESG claims.

Hopefully, insurers will come to see that the most valid measures of business behavior should be based on metrics assembled outside the companies themselves. That is what my colleagues and I attempt to do with Violation Tracker.

The data we collect is all from regulatory agencies and court records. We ignore the statements of corporations, including those—such as the Legal Proceedings sections of 10-K filings—in which firms are supposed to own up to their transgressions. Those disclosures are almost always incomplete.

In the end, meaningful change in corporate behavior will only come about through outside pressures, not boardroom enlightenment. If insurers are serious about contributing to those pressures, so much the better.

Getting Tough with Corporate Privacy Violators

Privacy violations, which used to be a relatively minor compliance issue for large corporations, have now become a much more serious concern. And a recent Federal Trade Commission case could be a sign of more aggressive enforcement practices to come.

Back in the early 2000s, privacy cases consisted mainly of actions brought by state regulators against fly-by-night operations that ran afoul of Do Not Call rules by placing large numbers of unwanted marketing robocalls. The data in Violation Tracker indicate that aggregate federal and state privacy penalties across the country were only a couple of million dollars per year.

Over the past decade, total agency privacy penalties have grown substantially, exceeding $50 million each year since 2016. The blockbuster cases fall into two major categories. The first involves corporations that were fined for allowing major breaches of their customers’ data to occur. For example, in 2018 Uber Technologies had to pay $148 million to settle a case brought by state attorneys general for a breach of data on 57 million customers and drivers—and for attempting to cover up the problem rather than reporting it to authorities.

The other category consists of cases in which corporations were directly responsible for the privacy violation. In 2019, for instance, Google and its sister company YouTube agreed to pay $136 million to the FTC and $34 million to New York State to settle allegations that the companies violated rules regarding the online collection of personal data on children.

This category also includes the largest privacy penalty of all—the $5 billion paid by Facebook to the FTC in 2019 for violating an earlier order by continuing to deceive users about their ability to control the privacy of their personal information.

Also in this category is a recent case handled by the FTC and the Department of Justice against WW International (formerly Weight Watchers International Inc.). The agencies are collecting $1.5 million in civil penalties from the company for violating the Children’s Online Privacy Protection Act in connection with their weight management service for children, Kurbo by WW. The government had alleged that WW collected personal data such as names and phone numbers as well as sensitive information such as weight from users as young as eight years old without parental consent.

In addition to the monetary penalty, the FTC took the unusual (but not unprecedented) step of requiring WW to delete their ill-gotten data and destroy any algorithms derived from it. As a blog post from the law firm Debevoise & Plimpton points out, this kind of punishment can have a major impact, given that a single tainted dataset may require the destruction of multiple algorithms.

Requiring corporate miscreants to destroy intellectual property is in line with the ideas recently proposed by Consumer Financial Protection Bureau director Rohit Chopra for using measures beyond monetary penalties in regulatory enforcement. Chopra called for forcing misbehaving companies to close or divest portions of their operations—and, in the most egregious cases, to lose their charters.

The moves by the FTC and the CFPB are signs that regulators are recognizing that aggressive new enforcement tools are needed to shake up large corporations that have grown too comfortable paying their way out of legal jeopardy.