Facebook was hit with a $5 billion fine, the largest penalty ever imposed on any company for violating consumer privacy, almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide to date and one of the largest penalties ever assessed by the U.S. government for any violation.
The U.S. Federal Trade Commission (FTC) alleged that Facebook’s privacy misdeeds allowed the company to share users’ personal information with third-party apps that were downloaded by the users’ Facebook “friends.” This became known as the “Cambridge Analytica” scandal, in which Facebook had disclosed to the third-party “This Is Your Digital Life” app, personal data of 50 million Facebook users. The data ultimately ended up in the hands of Cambridge Analytica, a political consulting firm in the UK. The firm, hired by President Trump's campaign in 2016, exploited the data by launching behaviorally targeted political messages to prospective voters.
The FTC alleged that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing. Although Facebook provided the option to block the app's access to user personal data, Facebook's default settings at that time granted such access. The FTC also alleged that Facebook took inadequate steps to deal with apps like “This Is Your Digital Life”, that it knew were violating its platform policies.
Facebook agreed to pay the penalty as well as the FTC’s demands for a 20 year commitment to overhaul the company’s privacy governance. As part of this overhaul, Facebook will establish an independent privacy committee of Facebook’s board of directors, not controlled by Facebook’s CEO, Mark Zuckerberg. Additionally, Facebook’s CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company complies with the privacy program. Any false certification will subject them to individual civil and criminal penalties.
The FTC order also requires that an external, independent assessor periodically evaluate the effectiveness of Facebook’s privacy program and identify any gaps. Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy. The order also bans some of Facebook’s questionable privacy practices, such as using telephone numbers originally obtained to enable a security feature, for marketing purposes.
The FTC’s chairman stated that the “relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations”.
This article was published in the Internet, Cyber and Copyright Group’s July 2019 Newsletter.