The Federal Trade Commission today announced an “historic” $5 billion settlement with Facebook, Inc., regarding the company’s privacy practices, over the dissent of its two Democratic commissioners, who argued that the agency should have pushed harder, even to the point of litigation, to obtain stronger deterrents.
In addition to the monetary penalty, which will be paid to the U.S. Treasury, the settlement also requires Facebook to establish privacy compliance measures, including an independent assessor to review its privacy program, an independent nominating committee to nominate independent board members, and the establishment of a privacy committee on its board. It would also have to review new products and create a privacy impact statement, FTC Chairman Joseph Simons said at a press conference today.
There are also requirements for quarterly board reviews of privacy compliance, reports to the FTC, and quarterly certifications by Chief Executive Officer Mark Zuckerberg and designated compliance officers that the company is in compliance with the order. Republican FTC Commissioner Noah Joshua Phillips described the documentation and certification requirements as “Sarbanes-Oxley for privacy,” a reference to the Sarbanes-Oxley Act’s financial accounting requirements for documentation and certification. These certifications would expose Mr. Zuckerberg and the compliance officers to civil penalties for violations, Mr. Simons said.
Mr. Simons said that the settlement requires “greater oversight of third-party app developers, including a requirement to terminate app developers that violate Facebook’s terms.” It also requires Facebook to test apps for compliance with its terms, rather than just relying on the app developers’ assurances.
In defending the settlement from criticism by lawmakers and other parties (see separate story) that focused on issues such as the lack of consequences for Mr. Zuckerberg, FTC officials argued that the outcome was the best the agency could expect given its limited authority under its existing authorizing statute, and that lengthy litigation would have risked obtaining any relief at all. Chairman Simons and Republican FTC Commissioner Christine Wilson both reiterated the agency’s longtime call for comprehensive privacy legislation and increased authority to impose penalties.
“We are a law enforcement agency without the ability to promulgate rules,” Chairman Simons said. He added, “Our authority in this comes from a 100-year-old statute that was never intended to deal with this.” Because of this, the commission faced a choice between accepting the current settlement with “favorable terms” or litigating “for years” and perhaps ending up with an adverse court decision.
“Today is a good day for consumer privacy in America,” Commissioner Wilson said.
“We do not have legal authority to remove Mr. Zuckerberg from the driver seat,” she added. She also emphasized that concerns about Facebook that are unrelated to privacy, such as allegations of monopolization and biased treatment of content, “fall outside this settlement.”
The settlement stems from a year-long investigation into whether Facebook had violated a 2012 consent order that settled a previous FTC investigation into alleged privacy violations by the company.
Last year, Facebook acknowledged that data analytics firm Cambridge Analytica LLC collected the personal information of 50 million Facebook users without their consent as part of a political influence campaign (TR Daily, March 19, 2018), a figure it subsequently increased to 87 million users (TR Daily, April 4, 2018).
The settlement also addresses violations of the prohibition on deceptive business practices under section 5 of the FTC Act, such as the company’s statement to users that it would collect phone numbers for use in multi-factor authentication, while also using the phone numbers for advertising, without disclosing that.
The monetary penalty in the “ground-breaking” settlement is about 200 times larger than in any previous U.S. privacy enforcement action, and “more than 20 times larger than the greatest fine imposed by the European Union” in a privacy case, Chairman Simons said during the press conference on the settlement. He also said that it represents 9% of Facebook’s annual revenue and rivals the largest civil penalties of any kind in U.S. history, such as those for environmental harms and financial fraud.
Gustav Eyler, director of the Consumer Protection Branch in the Department of Justice’s Civil Division, who also spoke at the press conference, said that the settlement’s “sweeping compliance terms [are] designed to safeguard American’s privacy for decades to come” and that they “apply not just to Facebook but to Facebook-owned companies now and in the future.”
In response to a reporter’s question about why Mr. Zuckerberg wasn’t deposed as part of the FTC’s investigation, James Kohm, associate director of the FTC’s Division of Enforcement, said that the agency was able to obtain desired provisions in the settlement by not pushing to depose Mr. Zuckerberg, which would have exposed him to litigation. Mr. Eyler said that from e-mails, investigators knew when Mr. Zuckerberg was involved.
Asked whether the FTC would have the resources for oversight contemplated in the settlement, Chairman Simons said that the settlement “would take precedence over other things for sure.” Mr. Kohm noted that the FTC is “partnering with the Department of Justice” and that “there are a number of provisions in the order that make monitoring easier in the future.”
During the press conference, Commissioner Phillips said that the settlement sends two important messages: “The price of privacy just went up” and “paying attention to privacy issues is something that companies ought to consider elevating to the board level.”
Asked to respond to criticisms that the settlement will not change Facebook’s behavior substantively, Mr. Kohm said that in the wake of the settlement, “nobody at the company can assert an ostrich defense. … There are fiduciary responsibilities all the way through.”
Commissioner Wilson said, “It focuses the mind when a CEO has to sign. We believe again that this is more than paperwork.”
In her dissent, Democratic Commissioner Rebecca Kelly Slaughter said, “The Commission should not have accepted this settlement and should instead have voted to litigate.
“I understand the majority’s argument in favor of the terms of the settlement, and I recognize the settlement’s historic nature. But I do not share my colleagues’ confidence that the order or the monetary penalty will effectively deter Facebook from engaging in future law violations, and thus I fear it leaves the American public vulnerable,” she continued.
“Facebook’s privacy and data practices affect all Americans, whether they are users or not. Because of this, public interest in this investigation and its potential outcome has been higher than perhaps any other Commission investigation in recent memory. Much of the public commentary generated by this interest has demanded outcomes that far exceed the FTC’s power or legal authority. But the FTC can and should demand settlement terms that will send a clear message to wrongdoers and the public alike that violating a Commission order is to be avoided at all costs. If those terms are rejected, the FTC must litigate,” Commissioner Slaughter added.
In his dissent, Democratic Commissioner Rohit Chopra said, “We should have continued the investigation to obtain more data and evidence on what Facebook and its executives knew and how they profited. If Facebook failed to cooperate, the Commission had enough evidence to take Facebook and Zuckerberg to trial.
“When companies can violate the law, pay big penalties, and still turn a profit while keeping their business model intact, enforcement agencies cannot claim victory. If we cannot fix these problems, then policymakers must come together here at home and around the world to confront business models that rely on surveillance and profit from manipulation,” he added.
In an initial tweet responding to the FTC’s announcement, Mr. Zuckerberg said, “We have a responsibility to protect people’s privacy. We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry.
“As part of this settlement, we’re bringing our privacy controls more in line with our financial controls under the Sarbanes-Oxley legislation. Our executives, including me, will have to certify that all of the work we oversee meets our privacy commitments. Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program. We’ve also asked one of our most experienced product leaders to take on the role of Chief Privacy Officer for Products,” he continued.
“To implement this, we’ll have to review our technical systems to document any privacy risks and how we’re handling them. Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we're taking to mitigate them. We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward,” Mr. Zuckerberg said.
“Overall, these changes go beyond anything required under US law today. The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone,” he added.
In remarks made to company employees and published on the company’s website, Mr. Zuckerberg said, “The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”
Mr. Zuckerberg added, “Over the past year we’ve made large strides on privacy. We’ve given people more control over their data, closed down apps and applied more resources to protecting people’s information. But even measured against these changes, the privacy program we are building will be a step change in terms of how we handle data. We will be more robust in ensuring that we identify, assess and mitigate privacy risk. We will adopt new approaches to more thoroughly document the decisions we make and monitor their impact. And we will introduce more technical controls to better automate privacy safeguards. As part of this effort, we will be undertaking a review of our systems. We expect this process will surface issues — that’s part of its purpose. When it does, we will work swiftly to address them.” —Lynn Stanton, [email protected]
MainStory: FederalNews FTC Privacy
Interested in submitting an article?
Submit your information to us today!Learn More