Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines, arising from its violation of a 2012 consent order with the FTC. According to the FTC, this is the largest fine ever levied by a U.S. regulatory agency against a company for a privacy or data security violation by a factor of 20—and one of the largest penalties ever assessed by the U.S. government.
2012 Consent Order
The FTC alleges in its complaint that Facebook violated the 2012 consent order, which prohibited the company from misrepresenting the privacy or security of consumers’ personal information, and the extent to which Facebook shared personal information with third parties. The FTC alleges Facebook violated the consent order when it deceived its users by sharing the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings. The FTC also alleges that Facebook violated the consent order by failing to screen app developers before granting them access to user data and by misrepresenting users’ ability to control the use of facial recognition with their accounts. In addition to violations of the consent order, the FTC alleges that Facebook violated the FTC Act’s prohibition against deceptive practices by re-using telephone numbers collected to enable two-factor authentication for advertising purposes.
Facebook’s New Restrictions, Requirements, and Modified Corporate Structure
Along with the $5 billion penalty, the new consent order will require Facebook to change its approach to privacy by ensuring executives are held accountable for their privacy decisions and that these decisions are subject to meaningful oversight. The settlement also mandates the creation of an independent privacy board that will designate new compliance officers responsible for Facebook’s privacy program.
Other privacy requirements include:
- Independent third-party assessments to evaluate the effectiveness of Facebook’s privacy program and identify any gaps;
- Privacy reviews of every new or modified product, service, or practice before it is implemented, and a requirement to document all decisions about user privacy;
- Oversight over third-party apps by terminating app developers who fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data; and
- Clear and conspicuous notice of Facebook’s use of facial recognition technology, and a requirement to obtain affirmative and express user consent prior to any use that materially exceeds its prior disclosures to users.
The settlement also requires Facebook to implement a new comprehensive data security program and cease the practice of using information collected for security purposes for advertising.
On the same day that the FTC announced its $5 billion settlement with Facebook, the FTC also announced that an administrative complaint had been filed against data analytics company, Cambridge Analytica, for employing deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The two individual defendants – app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix – have entered into consent orders that restrict how they are able to conduct business in the future as well as requiring them to delete any personal information they have collected.
Needless to say, it has been a very busy week for the FTC, which has previously faced criticism for being too passive in its role as a lead federal privacy and data security regulator. The Equifax and Facebook consent orders – as well as the recent action against Cambridge Analytica – clearly demonstrate that the FTC is willing to impose big fines on companies for their improper privacy practices. Whether these settlements augur increased regulatory activity by the FTC, or will establish new benchmarks for privacy violations, remains to be seen. But one thing is certain: the FTC has captured the attention of U.S. businesses.
A version of this article also appears on Ballard Spahr’s CyberAdvisor blog.