Facebook Inc. will pay a record-breaking $5 billion penalty, and submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its user’s privacy to settle Federal Trade Commission charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information.
The FTC states that the $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. It is one of the largest penalties ever assessed by the U.S. government for any violation.
The Department of Justice will file a complaint on behalf of the FTC alleging that Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order. These tactics allowed Facebook to share users’ personal information with third-party apps that were downloaded by Facebook “friends”. The FTC alleges that many were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.
The FTC has also sued Cambridge Analytica, its former Chief Executive Officer Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, alleging they used false and deceptive tactics to harvest personal information from millions of Facebook users. Kogan and Nix have agreed to a settlement with the FTC that will restrict how they conduct any business in the future.
The FTC’s new 20-year settlement order with Facebook establishes an independent privacy committee of Facebook’s board of directors, “removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy”. Members of the privacy committee will be independent and appointed by an independent nomination committee. Members can only be fired by a supermajority of the Facebook board of directors.
Facebook must designate compliance officers who will be responsible for Facebook’s privacy program. These officers are subject to the approval of the new board privacy committee and can only be removed by that committee. An independent third-party assessor will evaluate the effectiveness of Facebook’s privacy program and identify any gaps.
Facebook’s order-mandated privacy program also covers WhatsApp and Instagram. Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented and document its decisions about user privacy. Facebook must share that with the CEO of the independent assessor and the FTC.
Other requirements include:
- Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data
- Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g. two-factor authentication) for advertising
- Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users
- Facebook must establish, implement, and maintain a comprehensive data security program
- Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext
- Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services