The Federal Trade Commission (FTC) has fined Facebook, Inc. (Facebook) a record-breaking $5 billion for infringements of the FTC’s order of 2012 and for deceptive practices under the Federal Trade Commission Act 1914 (FTC Act). The FTC’s new settlement order also requires Facebook to implement changes to its privacy practices and to accept a new privacy regime.
The 2012 order
In 2011, the FTC charged Facebook with eight separate privacy-related infringements in the wake of the Cambridge Analytica scandal, where it was discovered that Facebook users’ personal data could be shared with developers of apps their Facebook friends were using, both without their knowledge or consent. The personal data shared could include information the user listed as “private” as well as the news and books they were reading, relationship details, religious and political views, employment history, photos and the videos they watched.
In a resulting settlement, Facebook agreed to an order that required the social network to stop misleading its users about the use of their personal data as well as implementing privacy controls.
How did Facebook infringe the order?
According to the FTC, after agreeing to the 2012 settlement, Facebook continued to mislead consumers as to how their personal data was being shared. New tools such as “Privacy Shortcuts” and “Privacy Checkup” claimed that users could control their data and limit it to friends only or private if they so wished, but was not the case. A disclaimer which warned users that their personal data could be shared with third-party app developers was removed just 4 months after the order became effective, and settings which enabled this sharing of personal data to be turned off were “hidden away” and were not directly accessible from the new privacy tools.
The FTC’s complaint also exposed how Facebook announced that it was no longer allowing third-party app developers to collect data about the friends of app users at the 2014 F8 (Facebook Developer) conference, whilst separately informing pre-existing developers that they could continue this practice for another year. Even after the expiration of this period, Facebook continued to provide a “whitelist” of developers with this data for years afterwards, with the FTC finding that this occurred until at least June 2018.
The FTC also claimed that Facebook did not adequately screen app developers before giving them access to huge amounts of personally sensitive information, and that enforcement actions against developers violating Facebook’s terms were both opaque and determined by the companies’ investment. For example, developers spending less than $250,000 on advertising were denied data permissions, whilst those spending more were contacted and asked to confirm why they needed access to the data.
Furthermore, Facebook’s new facial recognition software, allowing the platform to recognise users in photos, was found to violate the order by being switched on by default, despite Facebook’s Data Policy stating it was an opt-in service.
Finally, Facebook was found to have infringed the FTC Act by engaging in the deceptive practice of encouraging users to provide their mobile number. Ostensibly this was for two-factor authentication purposes, however, Facebook failed to tell users that it used the phone numbers for advertising purposes.
Impact on Facebook
Aside from the financial penalty, the 2019 order compels Facebook to make various changes relating to its internal structure:
- Setting up a subgroup to serve as an Independent Privacy Committee in overseeing its privacy program. Facebook’s officers and employees are excluded from this Committee, which has the exclusive ability to appoint and remove the compliance officers and an independent assessor.
- Compliance Officers will document all material privacy decisions, and submit to the FTC quarterly compliance statements certified by CEO Mark Zuckerberg. Non-compliance triggers enhanced FTC scrutiny, and a false certification by Zuckerberg could lead to personal liability.
- An FTC-approved independent privacy assessor will independently evaluate Facebook’s privacy practices every two years.
In addition, the order requires Facebook to terminate app developers who do not abide by its privacy policies, cease using phone numbers it obtained for security purposes for advertising, gain express consent to put users’ data to a materially different use in relation to face recognition software and encrypt passwords and cease asking users for their passwords to other services.
The settlement certainly turned heads, not least due to the unprecedented $5 billion fine. The changes required by the order, which apply to other companies Facebook controls, such as WhatsApp and Instagram, prompted Zuckerberg to post on Facebook that “We’re going to make some major structural changes to how we build products and run this company”.
However, many have criticised it for not going far enough to protect Facebook users’ privacy. Since the original 2012 order, Facebook’s revenue has grown more than 1,000% to over $55 billion, meaning that the $5 billion fine is equivalent to the amount made by the company every month. Investors were also seemingly unconcerned at the news, with Facebook’s stock value increasing in the wake of the settlement.
Commissioners Chopra and Slaughter, who gave dissenting opinions, both argue that users’ rights to privacy would have been better served if the case had gone to trial, and that the early settlement precluded open court accountability and the potential personal liability of Zuckerberg. There are also concerns that the new privacy structure will create little substantive change going forward, and exist as bodies created by Facebook for Facebook.
Whilst it remains to be seen whether the order will produce cultural change at Facebook, there is no doubt that the settlement comes at a time of intense scrutiny of companies’ data practices. In July, the Information Commissioners Office (ICO) issued notices that it intends to fine Marriott International £99.2 million and British Airways £183.4 million for infringements of the GDPR. Businesses should be keenly aware of their compliance with applicable data protection legislation and seek to safeguard themselves against the negative publicity and huge financial risks triggered by privacy breaches.