The Federal Trade Commission (FTC) and Department of Justice (DOJ) earlier this year announced a settlement order that requires Facebook to pay an unprecedented $5 billion civil penalty—the most ever imposed in an FTC case and among the largest civil penalties ever obtained by the federal government.
The settlement, which was in response to charges that the company deceived users about their ability to control the privacy of their personal information, also requires Facebook to implement a comprehensive, multifaceted set of compliance measures designed to improve user privacy and provide additional protections for user information.
In a press release addressing the settlement, FTC Chairman Joe Simons stated, “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
Violations of the FTC’s 2012 Settlement Order
The settlement stems from violations of an FTC 2012 settlement order in which Facebook agreed to give consumers “clear and prominent notice and obtain their express consent before sharing their information beyond their privacy settings.” Facebook was also required to maintain a comprehensive privacy program to protect consumers' information and have privacy audits conducted by an independent third party.
According to official court documents, Facebook violated their 2012 settlement in several ways, including by:
- Maintaining deceptive settings that misled users about how to protect their information from being shared by Facebook with third-party developers of apps used by their Facebook friends
- Allowing third-party developers to collect data about the friends of app users through June of 2018, despite promises to stop such activity starting in 2014
- Improperly policing app developers and inconsistently enforcing its privacy policies, taking less severe action against app developers that generated significant revenue for Facebook
- Implying to approximately 60 million users that they could opt in to enable facial recognition technology associated with their posted photos and videos when, in fact, that technology was “on” by default
- Telling users that their phone numbers would be used to enable an enhanced account security tool when in fact they were also used for advertising purposes
Details About Settlement Order—Privacy Compliance System
Under the new 20-year settlement order, in addition to the financial penalty, Facebook is required to implement a privacy compliance system that instills accountability, oversight, and transparency.
Accountability will be achieved by creating an independent privacy committee that will oversee all of Facebook’s privacy decisions. In the past, these decisions were the responsibility of CEO Mark Zuckerberg. Members of the new committee will be appointed by an independent source and can only be fired through a supermajority of Facebook’s board of directors.
To further accountability, Facebook must appoint compliance officers, subject to the committee’s approval. Both Zuckerberg and the compliance officers will independently be required to submit to the FTC quarterly and annual certification that the company is in compliance. Any misrepresentation of the certificates will be subject to civil and criminal penalties.
The independent privacy committee will also oversee an independent assessor who will conduct audits of Facebook’s privacy program to check for accuracy and compliance. Such audits will be conducted through the assessor’s “fact-gathering, sampling, and testing” and not on any claims made by Facebook management.
The settlement order also requires specific documentation practices, which will provide company transparency. Any time there is a new product, service, or practice, Facebook must review it and document decisions affecting user privacy prior to implementation. Facebook is also required under the order to document any occurrences of compromised data of 500 or more users. Documentation must then be delivered to the FTC and assessor within 30 days of the compromise.
Additional privacy obligations under the order require Facebook to:
- Exercise better management over third-party apps by enforcing compliance with Facebook’s privacy policies
- Cease using telephone numbers acquired to enable a security feature for advertising
- Provide clear and conspicuous disclosure of its use of facial recognition technology and obtain user consent prior to use
- Establish, implement, and maintain a comprehensive data security program
- Encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext
- Cease from asking for email passwords to other services
Facebook’s Actionable Steps Going Forward
In response to the settlement order, Facebook stated, “… we are running a review of apps on our platform and removing significant portions of our existing platform [Application Programming Interface] API. In conjunction with this ongoing work, we will continue to take further steps to secure and increase the integrity of the Platform overall, for example:
- We introduced a new suite of controls for people to manage the apps they use with Facebook.
- We are rewarding people who alert us to data misuse by app developers on our Platform.
- We implemented a new review process for every new API or expansion of existing APIs across the company.
This review and the new systems that we build are subject to more rigorous oversight and legal compliance process.”
Businesses that maintain customer information should view this settlement as an indication of things to come. Zuckerberg summarized it well when he said that “the accountability required by this agreement surpasses current US law ... It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements.”
All companies are advised to review their current privacy policies and procedures and use the guidelines provided in the settlement as direction for updates and added security measures. It’s also imperative to train applicable personnel in privacy matters. Not taking data privacy matters seriously is a costly risk that isn’t worth taking.