Facebook to Pay $5 Billion for Violating 2012 FTC Consent Order
Wednesday, July 24, 2019
Facebook FTC Consent Order Violation, FB agrees to civil fines
Print Mail Download i

Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines, arising from its violation of a 2012 consent order with the FTC. According to the FTC, this is the largest fine ever levied by a U.S. regulatory agency against a company for a privacy or data security violation by a factor of 20—and one of the largest penalties ever assessed by the U.S. government.

2012 Consent Order

The FTC alleges in its complaint that Facebook violated the 2012 consent order, which prohibited the company from misrepresenting the privacy or security of consumers’ personal information, and the extent to which Facebook shared personal information with third parties. The FTC alleges Facebook violated the consent order when it deceived its users by sharing the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings. The FTC also alleges that Facebook violated the consent order by failing to screen app developers before granting them access to user data and by misrepresenting users’ ability to control the use of facial recognition with their accounts. In addition to violations of the consent order, the FTC alleges that Facebook violated the FTC Act’s prohibition against deceptive practices by re-using telephone numbers collected to enable two-factor authentication for advertising purposes.

Facebook’s New Restrictions, Requirements, and Modified Corporate Structure

Along with the $5 billion penalty, the new consent order will require Facebook to change its approach to privacy by ensuring executives are held accountable for their privacy decisions and that these decisions are subject to meaningful oversight. The settlement also mandates the creation of an independent privacy board that will designate new compliance officers responsible for Facebook’s privacy program.

Other privacy requirements include:

  • Independent third-party assessments to evaluate the effectiveness of Facebook’s privacy program and identify any gaps;

  • Privacy reviews of every new or modified product, service, or practice before it is implemented, and a requirement to document all decisions about user privacy;

  • Oversight over third-party apps by terminating app developers who fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data; and

  • Clear and conspicuous notice of Facebook’s use of facial recognition technology, and a requirement to obtain affirmative and express user consent prior to any use that materially exceeds its prior disclosures to users.

The settlement also requires Facebook to implement a new comprehensive data security program and cease the practice of using information collected for security purposes for advertising.

Cambridge Analytica

On the same day that the FTC announced its $5 billion settlement with Facebook, the FTC also announced that an administrative complaint had been filed against data analytics company, Cambridge Analytica, for employing deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The two individual defendants – app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix – have entered into consent orders that restrict how they are able to conduct business in the future as well as requiring them to delete any personal information they have collected.

Needless to say, it has been a very busy week for the FTC, which has previously faced criticism for being too passive in its role as a lead federal privacy and data security regulator. The Equifax and Facebook consent orders – as well as the recent action against Cambridge Analytica – clearly demonstrate that the FTC is willing to impose big fines on companies for their improper privacy practices. Whether these settlements augur increased regulatory activity by the FTC, or will establish new benchmarks for privacy violations, remains to be seen. But one thing is certain: the FTC has captured the attention of U.S. businesses.

Copyright © by Ballard Spahr LLP

Current Legal Analysis

More from Ballard Spahr LLP

FinCEN Deputy Director Stresses Technological Innovation, Virtual Currency Enforcement and the U.S. Culture of Compliance
by: Brian N. Kearney
The EU’s Efforts to Combat Money Laundering, the Financing of Terrorism and Corruption Seem to Overlook a Very American Approach: Prosecute People
by: Peter D. Hardy , Mary Treanor
California Legislature Adopts Five Amendments to CCPA, But Largely Rejects Industry Efforts
by: Gregory Szewczyk
Should the Financial Industry Be Detecting Future Mass Shooters?
by: Peter D. Hardy , Mary Treanor
Trump Administration to Discharge the Federal Student Loan Debt of Totally and Permanently Disabled Veterans
by: Stacy H. Rubin
FinCEN Advisory Highlights Money Laundering Risks Related to Fentanyl Trafficking
by: Terence M. Grugan
CFPB’s First Remittance Transfer Rule Enforcement Action
by: Bowen "Bo" Ranney , James Kim
FinCEN Announces New “Global Investigations Division” Focused on Foreign Money Laundering Threats
by: Peter D. Hardy
DOL Seeks to Improve Employers’ FMLA Forms
by: Brian D. Pedrow , David S. Fryman
The Federal Reserve’s Entry into Real-Time Payments
by: Christopher D. Ford , Judy Mok

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins