On July 24, 2019, both the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) announced landmark settlements with Facebook. The agreements were significant not only because of the hefty fines levied against the social media giant but also because of the specific charges brought against the company and the proactive measures Facebook will need to implement going forward to prevent future privacy violations. The two settlements have overarching implications for all companies to consider in terms of what regulators are looking for regarding data privacy and what kinds of penalties companies can expect for noncompliance. This legal alert summarizes the two settlements and highlights key takeaways from them that all companies should be aware of, especially as they look to further diversify and expand the way they collect, store, and share consumer data.
FTC v. Facebook
On July 24, the FTC announced a $5 billion fine against Facebook—the largest penalty ever levied against a company for data privacy violations—along with other protective measures the company would have to take going forward. The FTC reached this settlement after it found that Facebook had violated a 2012 consent order that prevented the company from misrepresenting to consumers its data collection, sharing, and security practices, and required it to implement a reasonable data privacy program. The FTC alleged that Facebook’s violations of the 2012 consent order resulted in an unfair and deceptive trade practice under Section 5 of the FTC Act.
One way in which Facebook was found to have violated the 2012 consent order is by continuing to mislead consumers about its data sharing practices. For example, the FTC alleged that Facebook claimed to allow users to limit their data sharing to only their “friends” on the platform. However, the FTC found that, even when set on the most restrictive privacy settings offered, many categories of a consumer’s data (such as a person’s religious or political views or their relationship status) were made readily available to third-party app developers through the consumer’s “friends.” In 2014, Facebook publicly stated that it was putting an end to this practice, but the FTC alleged that some third-party app developers had access to users’ friends’ personal data as late as June 2018.
Another notable way in which Facebook was found to have violated the 2012 consent order is through its facial recognition technology. According to the FTC, Facebook stated to users that they would need to opt-in to the use of facial recognition for the platform to use it for its features. However, Facebook’s “tag” feature, which automatically recognizes people for photos and videos, was turned on by default, thereby rendering deceptive the statement in Facebook’s data policy regarding facial recognition.
These practices and myriad more led to Facebook’s settlement with the FTC late last week. While the amount of the fine clearly makes the headlines, the FTC also imposed multiple requirements on Facebook regarding its privacy practices, which the company will have to adhere to for 20 years.
First, the FTC’s settlement seeks to ensure that privacy starts at the top for Facebook. The company will be required to establish an independent privacy committee as part of its board of directors. The members must be appointed by an independent nominating committee and can be fired only by a supermajority of the board. Part of the independent privacy committee’s responsibility will be to approve the designation of compliance officers who will be in charge of Facebook’s privacy program. These compliance officers and Facebook CEO Mark Zuckerberg will be independently required to make quarterly submissions to the FTC regarding the company’s compliance with the privacy program as stipulated by the new consent order. CEO Mark Zuckerberg must also make annual CEO certifications of compliance with the new consent order to the FTC. The compliance officers will be required to submit for government review a quarterly privacy review report, which must include an analysis of the privacy implications for every new or modified product and service offered by Facebook.
Regarding external oversight, the settlement states that Facebook must biennially allow an independent third-party assessor, approved by the government, to evaluate the effectiveness of Facebook’s privacy program. The third-party assessor must also report quarterly to the independent privacy committee of the board of directors regarding its findings and is to receive a copy of the designated compliance officers’ quarterly privacy review.
Along with these oversight mechanisms, the order also requires Facebook to implement specific privacy practices, which include:
- Exercising oversight over the data privacy practices of third-party app developers;
- Establishing, implementing, and maintaining a comprehensive data security program;
- Providing clear and conspicuous notice of its facial recognition policy and obtaining affirmative consent before any material change is implemented; and
- Encrypting user passwords.
In addition to making required disclosures regarding its privacy practices to the FTC, Facebook will be required to turn over all reports, assessments, certifications, and documents required or requested under the settlement to the Bureau of Consumer Protection at the US Department of Justice (DOJ). The order further states that DOJ will have the same rights to engage in compliance monitoring as the FTC.
SEC v. Facebook
On the same day as the FTC order, the SEC announced its own settlement with Facebook for misleading statements Facebook made in its required public filings about its data privacy practices. The SEC claimed that Facebook misled investors by being publicly dishonest about its data sharing practices.
The SEC’s charges relate directly to the issues surrounding Facebook’s relationship with Cambridge Analytica. According to the SEC, Facebook knew in 2015 about Cambridge Analytica’s improper use of the information available on Facebook. Yet, from then until 2017, Facebook continued to tell investors that its information could potentially be misused, instead of revealing the fact that it was aware of Cambridge Analytica’s actual misuse of the information. Under the Securities Act of 1933 and Securities Exchange Act of 1934, public companies are required to make complete and accurate disclosures of potential material business risks and are required to maintain controls and procedures designed to ensure that information is communicated promptly to management, including its CEO, to allow accurate and timely disclosures. The SEC found that Facebook’s actions violated the federal securities laws, it fined the company $100 million, and it permanently enjoined Facebook from similar violations in the future.
Key Takeaways From the Settlements:
1. The regulators are focused on accurate disclosure. Both the FTC and the SEC came after Facebook for failing to adhere to the privacy practices that it had published. In a world where businesses are collecting, storing, and sharing data more than ever before, it is critical that companies be aware of their own data collection practices and take care that they are properly representing those practices to the public. Disclosing to consumers anything and everything that you are doing with their information, and the risks being created, can be difficult and unsavory from a business perspective, but those burdens should be weighed against the monetary and reputational risk that comes from a potential enforcement action.
2. The stakes are getting higher. While most companies won’t be subject to the kind of scrutiny that results in being slapped with a $5 billion fine, regulators will likely continue to rely on heavy monetary penalties to disincentivize privacy violations. Earlier in the year, for example, the FTC issued its largest fine ever under the Children’s Online Privacy Protection Act (COPPA) ($5.7 million) against another social media company, TikTok. Other regulators are also upping the financial stakes. The Information Commissioner’s Office—the United Kingdom’s privacy regulator—issued the largest fine to date under the EU General Data Protection Regulation against British Airways when it fined the airline company $229 million earlier in July.
3. Accountability is becoming the norm. The FTC’s and DOJ’s accountability measures for Facebook are particularly extensive, likely due to the company’s size and stature. But the fact that the FTC wants Facebook to hold senior executives accountable for the company’s privacy practices isn’t unique to the social media giant. Earlier this summer, the FTC reached a settlement with DealerBuilt—a software developer and provider for auto dealers—that required the company to make multiple changes to its privacy practices and to designate a senior executive to be in charge of the cybersecurity program. Like Facebook, DealerBuilt was also required to implement other protective measures, such as yearly training for employees, independent third-party assessment, and making available relevant documents to the FTC upon request. Other regulators and legislatures are imposing similar requirements.
4. It can always be worse. Not everyone is happy with the FTC’s settlement with Facebook. The Electronic Privacy Information Center (EPIC), a consumer group focused on privacy rights, has sued the FTC in federal district court, alleging that its settlement with Facebook was not adequate, reasonable, or appropriate. EPIC takes issue with the fact that the settlement wipes away the thousands of consumer complaints filed with the FTC against Facebook and ignores other privacy violations conducted by the company, such as an alleged glitch in its Messenger Kids app that allows children under 13 to chat with adults, potentially violating COPPA. How this lawsuit gets resolved remains to be seen, but it goes to show that there is room for regulators to impose even harsher penalties than the one issued by the FTC.
5. A national privacy law could soon materialize. The FTC has also emphasized that the Facebook settlement was a strong result for the agency in the absence of a national privacy law, which would give the FTC greater authority to take action against companies that run afoul of privacy regulations. And in mid-July, shortly before the Facebook settlements were announced, a coalition of trade groups from various industries had united to urge Republican and Democratic members of the House and Senate commerce committees to pass federal consumer privacy legislation. The push for a national privacy law seems to be gaining momentum and may have a welcome audience among those who would have liked to see the FTC do more in this case.
These takeaways aren’t limited to companies like Facebook and regulators like the FTC and SEC. They apply to businesses of all sizes and highlight trends that are shaping the overall regulatory environment around privacy. Companies looking to stay proactive and limit potential regulatory exposure should keep this in mind, especially as use of social media platforms and the monetizing of personal data become more prevalent in all aspects of business.