Facebook has made history today, but not in a good way. The US Federal Trade Commission (“FTC”) announced this morning that Facebook will pay a record-breaking $5 billion penalty, submit to new restrictions, and modify the company’s corporate structure to settle the charges that the company violated a 2012 FTC order. Not only is this the largest penalty in FTC history but it is also almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.
In making this determination, the FTC Chairman, Joe Simons, explained “[d]espite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices.” The underlying 2012 order included a prohibition that Facebook make misrepresentations about the privacy or security of consumers’ personal information or the extent to which this information was shared to third parties. It also required Facebook to maintain a reasonable privacy program that safeguarded the privacy and confidentiality of user information.
The FTC’s new 20 year settlement order will require Facebook to establish an independent privacy committee that will be appointed by an independent nominating committee. In addition, Facebook will be required to designate compliance officers who have to submit FTC quarterly certifications that the company is in compliance with the privacy program mandated by the FTC order. An annual certification must also be completed. Not only will the certifications need to be made by compliance officers, but they will also have to be endorsed by Facebook’s CEO, Mark Zuckerberg. Any false certification will subject the parties to individual civil and criminal penalties.
The order also strengthens external oversight of Facebook and provides that an independent third party assessor will evaluate the effectiveness of the privacy program and identify any gaps. The assessor will not simply rely on the assertions made by Facebook’s management. The third party assessor’s biennial assessments of the company’s privacy program must be based on the assessor’s independent fact gathering, sampling and testing. The third party assessor must also report to the privacy committee on a quarterly basis.
The privacy program covers not only Facebook but also WhatsApp and Instagram. Any new or modified product, service or practice must undergo a privacy review before it is launched. Any decisions about privacy in these circumstances must be documented.
There are also positive obligations in the event of a data breach. Specifically, the order requires Facebook to document incidents where the data of 500 or more users have been compromised. The company must also document what efforts it made to address the incident. This information must be sent to the FTC and the third party assessor within 30 days.
Other requirements of the Order include:
- Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
- Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
- Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
- Facebook must establish, implement, and maintain a comprehensive data security program;
- Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and,
- Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
Most notably, Facebook agreed with the FTC settlement. Facebook will be actively and voluntarily engaged in revising their privacy policies and procedures. This stands in stark contrast to their behavior following the Office of the Privacy Commissioner of Canada’s findings that Facebook must alter their approach to privacy, a mere three months ago. Although the FTC settlement is borne out of the US, the effect will be felt worldwide. It will be interesting to see the fallout this decision will have on other organizations, especially in light of numerous other organizations that are facing a similar, yet much less financially burdensome, fine (i.e. British Airways).