Meta is now required to conduct a privacy review of every launch that affects user data, conducting more than 1,200 each month and deploying automation and audits to increase their consistency and rigor while ensuring orders are followed post-launch, Protti says.

Each unit of the company has to certify internally on a quarterly basis how it's protecting users’ data. After the $5 billion fine, people don’t take these certifications lightly, the former employees say. New hires have to review and agree to the consent decree before they can even get to work. Failing to complete regular privacy training locks employees out of corporate systems indefinitely, employees say. “I don't think you will find an employee that doesn't believe that privacy is absolutely mission critical for Meta,” Protti says.

The FTC contends that Meta has failed on that mission. In May, the agency alleged that Meta misled its users about the meaning of privacy settings on the Messenger Kids chat app and failed to block its business partners’ access to Facebook data as quickly as promised. The FTC wants to ban Meta from profiting off the data of people under 18 years old and require it to apply privacy commitments to companies it acquires, so no unit escapes scrutiny. Protti says the accusations and demands are unfounded.

No matter the outcome, the legal battle could be the breaking point for consent decrees.

FTC chair Lina Khan has made taking on big tech a priority, and if she wins the case the agency may feel emboldened to pursue more consent decrees and to successively tighten them to keep companies in line. But an FTC win could also weaken decrees by making companies more likely to take the chance of going to court instead of signing an agreement that could later be unilaterally revised, says Maureen Ohlhausen, an FTC commissioner from 2012 to 2018 and now a section chair at the law firm Baker Botts who has represented Meta and Google in other matters. “That changes the calculus of whether to enter a settlement,” she says.

If Meta stops the FTC’s updates to the consent decree, it might encourage other companies to try to fight the agency instead of settling. Either result in the Meta case will likely increase the pressure on US lawmakers to establish universal restrictions and precisely define the agency’s power. In the process, they could empower Americans for the first time with rights beyond the consent decrees, like to delete, transfer, and block sales of personal data held by internet giants.

Jan Schakowsky, a Democratic representative from Illinois in the congressional talks, says though the FTC has forced reform at “formerly lawless companies” through consent decrees, “a comprehensive privacy law is needed to improve Americans’ privacy across the internet and from new types of threats.” Even so, there are no clear signs that years of inaction in Congress on privacy are set to end, despite vocal support from companies including Meta and Google for a law that would not only cover their competitors but also prevent a patchwork of potentially conflicting state privacy rules.

The FTC agrees that a federal privacy law is long overdue, even as it tries to make consent decrees more powerful. Samuel Levine, director of the FTC's Bureau of Consumer Protection, says that successive privacy settlements over the years have become more limiting and more specific to account for the growing, near-constant surveillance of Americans by the technology around them. And the FTC is making every effort to enforce the settlements to the letter, Levine says. “But it's no substitute for legislation," he says. "There are massive amounts of data collected on people not just from these biggest tech companies but from companies not under any consent decree.”