By Jody Coultas, J.D.
The agreement settles FTC charges that Facebook violated a 2012 order that prohibited Facebook from misrepresenting the privacy and security of consumers’ personal information, and the extent to which it shares that information with third parties.
In order to settle charges that it misled its users about its privacy and ability to control their personal information, Facebook, Inc. has agreed to pay a record-breaking $5 billion and submit to restrictions and a modified corporate structure. The penalty is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. $5 billion is 9% of Facebook’s 2018 revenue and 23% of its 2018 profit (U.S. v. Facebook, Inc., FTC Dkt. C-4365, Case 1:19-cv-02184; In the Matter of Cambridge Analytica, LLC, FTC Dkt. 9383; In the Matter of Aleksandr Kogan and Alexander Nix, FTC File Nos. 182 3106, 182 3107).
Facebook previously reached a settlement with the FTC in 2012 that prohibited the company from misrepresenting the privacy and security of users’ personal information. The FTC alleges that four months after the 2012 order was finalized, Facebook removed a disclosure that information shared with a user’s Facebook friends could also be shared with the apps used by those friends from its "Privacy Settings" page, even though it was still sharing data from an app user’s Facebook friends with third-party developers. Also, Facebook’s privacy services allegedly failed to disclose that even when users chose restrictive sharing settings, Facebook could still share user information with the apps of the user’s Facebook friends.
In addition, Facebook announced in April 2014 that it would stop allowing third-party developers to collect data about the friends of app users. Despite this promise, the company separately told developers that they could collect this data until April 2015 if they already had an existing app on the platform. The FTC alleged that Facebook waited until at least June 2018 to stop sharing user information with third-party apps used by their Facebook friends. Furthermore, Facebook allegedly improperly policed app developers on its platform by failing to screen the developers or their apps before granting them access to vast amounts of user data.
The FTC also alleged that Facebook misrepresented users’ ability to control the use of facial recognition technology with their accounts. According to the complaint, Facebook’s data policy, updated in April 2018, was deceptive to tens of millions of users who have Facebook’s facial recognition setting called "Tag Suggestions" because that setting was turned on by default, and the updated data policy suggested that users would need to opt-in to having facial recognition enabled for their accounts.
In addition to these violations of its 2012 order, the FTC alleged that Facebook violated the FTC Act’s prohibition against deceptive practices when it told users it would collect their phone numbers to enable a security feature, but did not disclose that it also used those numbers for advertising purposes.
The complaint filed by the Department of Justice alleged that Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order that allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook "friends." The FTC alleged that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing. In addition, the FTC alleged that Facebook took inadequate steps to deal with apps that it knew were violating its platform policies.
Settlement agreement. Under the new 20-year settlement order, Facebook is required to overhaul the company’s corporate governance and privacy program, and strengthen external oversight of Facebook. The "checks and balances" under the settlement removes the ability of CEO Mark Zuckerberg from unilaterally charting the path for consumer privacy and Facebook, given his penchant to "move fast and break things." The order covers Facebook’s WhatsApp and Instagram apps as well.
Facebook must create an independent privacy committee of Facebook’s board of directors, removing control from Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors. Also, Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO or Facebook employees. Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.
The order also strengthens external oversight of Facebook by enhancing the independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order.
As part of Facebook’s order-mandated privacy program, Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy. The designated compliance officers must generate a quarterly privacy review report, which they must share with the CEO and the independent assessor, as well as with the FTC upon request by the agency. The order also requires Facebook to document incidents when data of 500 or more users has been compromised and its efforts to address such an incident, and deliver this documentation to the FTC and the assessor within 30 days of the company’s discovery of the incident.
Under the order, Facebook: (1) must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data; (2) is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising; (3) must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users; (4) shall establish, implement, and maintain a comprehensive data security program; (5) must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and (6) is prohibited from asking for email passwords to other services when consumers sign up for its services.
"The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information," said Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division. "This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness."
"We are extremely proud of the landmark penalty and conduct relief announced today," said FTC Chairman Joe Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson. "The size of the $5 billion penalty, as well as the percentage of profits it represents, will provide significant deterrence not just to Facebook, but to every other company that collects or uses consumer data."
Commissioner Christine S. Wilson noted that other issues, such as allegations of "monopolization and biased treatment of content," fell outside the order and are unresolved. Recognizing that consumers are concerned and troubled by how U.S. companies collect, use, and monetize data, Wilson called on Congress "to pass comprehensive privacy and data security legislation. Carefully crafted comprehensive federal privacy legislation will set expectations for businesses and it will empower consumers to make informed choices about when and how to share their data hopefully while preserving incentives to innovate and compete."
In a dissenting statement, Commissioner Rohit Chopra asserted his belief that "the Commissioners cut off the inquiry too early, leaving too many stones unturned, in favor of this proposed settlement. The fine print in this settlement gives Facebook a lot to celebrate, particularly when it comes to the blanket immunity for unspecified violations by Facebook and its executives. This is a disappointing precedent for the FTC to set, since more companies may now seek ways to buy broad immunity." "We should have continued the investigation to obtain more data and evidence on what Facebook and its executives knew and how they profited. If Facebook failed to cooperate, the Commission had enough evidence to take Facebook and Zuckerberg to trial."
Commissioner Rebecca Kelly Slaughter dissented from the settlement, noting that the record penalty is unlikely to deter Facebook from engaging in future privacy law violations. "Rather than accepting this settlement, I believe we should have initiated litigation against Facebook and its CEO Mark Zuckerberg. The Commission would better serve the public interest and be more likely to effectively change Facebook by fighting for the right outcome in a public court of law," Slaughter observed.
Administrative complaint. The FTC also announced an administrative complaint against Cambridge Analytica, and proposed settlements with Cambridge Analytica’s former chief executive and an app developer who worked with the company. The suit relates to the company’s harvesting of personal information from tens of millions of Facebook users for voter profiling and targeting.
Cambridge Analytica, Nix, and Kogan allegedly deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data.
During the summer of 2014, the FTC alleges, Kogan, together with Cambridge Analytica and Nix, developed, used, and analyzed data obtained from third party apps that generated personality scores for the app users and their Facebook friends that were then matched with U.S. voter records. The company used these matched personality scores for its voter profiling and targeted advertising services. Facebook users were also allegedly told that the app would not download any identifiable information, which was false. The company was able to collect Facebook profile data from 250,000 to 270,000 users of the app located in the United States, as well as 50 million to 65 million of those users’ Facebook friends, including at least 30 million identifiable U.S. consumers.
Also, the FTC alleges that Cambridge Analytica falsely claimed until at least November 2018 that it was a participant in the EU-U.S. Privacy Shield framework, even though the company allowed its certification to lapse in May 2018.
As part of the proposed settlement with the FTC, Kogan and Nix are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. In addition, they are required to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data.
Reaction to the settlement. Zuckerberg issued a statement on his Facebook page saying "The next focus for our company is to build privacy protections as strong as the best services we provide. I'm committed to doing this well and delivering the best private social platform for our community." The company press release said "We have heard that words and apologies are not enough and that we need to show action."
Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) said "While $5 billion is a record fine for the FTC, monetary damages are not enough. Facebook has repeatedly demonstrated that it prioritizes profit over people. Tough oversight is needed to prevent the abuse of consumer information by Facebook and other companies. Comprehensive privacy legislation is necessary to strengthen the FTC’s authorities and give it more enforcement tools and resources so that violating consumers’ privacy and breaking public trust isn’t just the cost of doing business."
Attorneys: Lisa K. Hsiao for the U.S. Department of Justice. Robin L. Moore, Reenah L. Kim, and Linda Holleran Kopp for the FTC. M. Sean Royall (Gibson, Dunn & Crutcher LLP) for Facebook, Inc. Kory Langhofer (Statecraft PLLC) for Alexander James and Ashburner Nix. Jonathan S. Sack (Morvillo Abramowitz Grand Iason & Anello PC) for Aleksandr Kogan.
Companies: Facebook, Inc.; Cambridge Analytica LLC
MainStory: TopStory ConsumerProtection Privacy FederalTradeCommissionNews
Interested in submitting an article?
Submit your information to us today!Learn More
Antitrust Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on antitrust legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.