FTC Imposes $5B Penalty And Strict Privacy Obligations On Facebook
The FTC-Facebook settlement to resolve charges that the company violated a 2012 order imposes a historic penalty, and significant requirements to boost accountability and transparency. The fine is almost 20 times greater than the largest privacy or data security penalty ever imposed, worldwide. It is also one of the largest monetary penalties ever assessed by the U.S. government.
Additionally, the settlement imposes unprecedented restrictions on Facebook’s business operations. Following an investigation by FTC CID attorneys, the settlement requires Facebook to revamp its privacy approach with accountability for executives that make privacy-related decisions.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
“The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information,” said Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division. “This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness.”
The Department of Justice will file a complaint on behalf of the FTC, alleging that Facebook systematically utilized deceptive privacy-related disclosures and settings, in violation of the 2012 FTC order. Facebook is alleged to have shared users’ personal information with third-party apps that were downloaded by the user’s Facebook “friends.” According to FTC attorneys, users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.
The FTC also alleges that the company failed to take adequate steps relating to apps that it knew were violating its platform policies.
The Facebook settlement order provides for the implementation of multiple compliance channels. An independent privacy committee made up of Facebook’s board of directors must be established. The company will be required to designate compliance officers who will be responsible for Facebook’s privacy program. Quarterly certifications, as well as an annual certification, that the company is in compliance with the privacy program must be submitted to the FTC. Any false certification could result in civil and criminal penalties.
An independent third-party assessor will evaluate the effectiveness of Facebook’s privacy program and identify any vulnerabilities and gaps. Interestingly, the settlement order authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance.
The privacy program required by the order covers WhatsApp and Instagram.
Facebook must now conduct a privacy review of every new or modified product, service or practice before it is implemented, and memorialize its privacy-related decisions.
Without limitation, the order imposes significant new privacy requirements:
- Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
- Facebook is prohibited from using telephone numbers obtained to enable a security feature for advertising;
- Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
- Facebook must establish, implement and maintain a comprehensive data security program;
- Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
- Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
Contact FTC CID attorneys if you are the subject of an FTC investigation or enforcement action.
Richard B. Newman is a digital advertising lawyer at Hinch Newman LLP. Follow FTC attorney on National Law Review.
Attorney Advertising. Informational purposes only. Not legal advice.