FTC Hands Down 5 Billion Dollar Penalty to Facebook

July 29, 2019 Published Article

Back in 2012, Facebook made promises that turned out to be misleading. It claimed that users could select information to be only visible to friends, but had neglected to close a hole allowing apps used by friends to access their data. This became painfully apparent with the Cambridge Analytica scandal, where countless users' data was unwittingly collected due to failures by Facebook to adequately give users control of their own data and privacy settings, or otherwise inform consumers how, even if they did not explicitly permit this collection, it could and would occur. However, after once again misrepresenting its security features and violating a 2012 FTC order, Facebook has been hit with a heavy five billion dollar fine, with additional, groundbreaking requirements regarding data security and public disclosures.

What Happened to Facebook?

In short, it broke promises again. The FTC alleged that Facebook had once again given companies access to information that consumers indicated they did not want to share. The FTC also alleged that Facebook mislead consumers about how it used facial recognition, cell phone numbers and other forms of personal data. This violation raised the ire of the FTC, especially after the previous 20-year settlement with the entity, prompting a much harsher reaction and deal consisting of the following prongs:

  1. Facebook is to pay a five billion dollar fine ($5,000,000,000) arising from their conduct and consumer violations.
  2. Facebook is prohibited from misrepresenting the extent to which Facebook maintains privacy and security of user information (i.e. collection, use, disclosure, verification procedures or making information accessible to third parties after deletion or termination).
  3. A SEPARATE NOTICE outside of a privacy policy (or similar notice), which details the categories of nonpublic user information that is disclosed to third parties, the categories of third parties and if such sharing exceeds the restrictions imposed by the users' privacy settings. Facebook will then have to obtain the user's affirmative, express consent to share with a third party.
  4. User information must be inaccessible/deleted/deidentified within a reasonable period of time.
  5. Phone numbers are not to be shared with third parties in order to serve advertisements.
  6. Facebook is prohibited from requiring user passwords from third party consumer applications.
  7. The deletion of any facial recognition templates within 90 days, unless Facebook obtains a user's explicit permission for sharing a facial recognition template.
  8. Facebook is required to create a new and comprehensive privacy policy.
  9. Facebook will have to submit reports regarding an incident where user information is compromised.
  10. The creation of an independent privacy committee and changes to Facebook's board of directors to oversee privacy decisions and the effectiveness of Facebook's Privacy Program. Failure to certify that Facebook is in compliance will incur civil and criminal penalties.

What Can Everyone Learn from Facebook?

To avoid issues, it is best to address privacy concerns openly and proactively, even using this as a selling point to consumers. As the FTC pursued Facebook due to its misrepresentations, it is important to address user control over data clearly and explicitly.

Furthermore, the FTC will only get stricter about privacy issues. Of the five commissioners, the two dissenting comments both claimed that the settlement was insufficient and that this matter should have been litigated. This should be taken as a note that the federal government will likely raise privacy interests to a higher level in the future, especially in light of the recent U.S. antitrust probe regarding technology companies and various states legislating privacy issues.