September 17, 2019

September 17, 2019

Subscribe to Latest Legal News and Analysis

September 16, 2019

Subscribe to Latest Legal News and Analysis

Facebook to Pay $5 Billion for Violating 2012 FTC Consent Order

Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines, arising from its violation of a 2012 consent order with the FTC. According to the FTC, this is the largest fine ever levied by a U.S. regulatory agency against a company for a privacy or data security violation by a factor of 20—and one of the largest penalties ever assessed by the U.S. government.

2012 Consent Order

The FTC alleges in its complaint that Facebook violated the 2012 consent order, which prohibited the company from misrepresenting the privacy or security of consumers’ personal information, and the extent to which Facebook shared personal information with third parties. The FTC alleges Facebook violated the consent order when it deceived its users by sharing the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings. The FTC also alleges that Facebook violated the consent order by failing to screen app developers before granting them access to user data and by misrepresenting users’ ability to control the use of facial recognition with their accounts. In addition to violations of the consent order, the FTC alleges that Facebook violated the FTC Act’s prohibition against deceptive practices by re-using telephone numbers collected to enable two-factor authentication for advertising purposes.

Facebook’s New Restrictions, Requirements, and Modified Corporate Structure

Along with the $5 billion penalty, the new consent order will require Facebook to change its approach to privacy by ensuring executives are held accountable for their privacy decisions and that these decisions are subject to meaningful oversight. The settlement also mandates the creation of an independent privacy board that will designate new compliance officers responsible for Facebook’s privacy program.

Other privacy requirements include:

  • Independent third-party assessments to evaluate the effectiveness of Facebook’s privacy program and identify any gaps;

  • Privacy reviews of every new or modified product, service, or practice before it is implemented, and a requirement to document all decisions about user privacy;

  • Oversight over third-party apps by terminating app developers who fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data; and

  • Clear and conspicuous notice of Facebook’s use of facial recognition technology, and a requirement to obtain affirmative and express user consent prior to any use that materially exceeds its prior disclosures to users.

The settlement also requires Facebook to implement a new comprehensive data security program and cease the practice of using information collected for security purposes for advertising.

Cambridge Analytica

On the same day that the FTC announced its $5 billion settlement with Facebook, the FTC also announced that an administrative complaint had been filed against data analytics company, Cambridge Analytica, for employing deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The two individual defendants – app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix – have entered into consent orders that restrict how they are able to conduct business in the future as well as requiring them to delete any personal information they have collected.

Needless to say, it has been a very busy week for the FTC, which has previously faced criticism for being too passive in its role as a lead federal privacy and data security regulator. The Equifax and Facebook consent orders – as well as the recent action against Cambridge Analytica – clearly demonstrate that the FTC is willing to impose big fines on companies for their improper privacy practices. Whether these settlements augur increased regulatory activity by the FTC, or will establish new benchmarks for privacy violations, remains to be seen. But one thing is certain: the FTC has captured the attention of U.S. businesses.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney
Partner

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of...

215-864-8180
Kim Phan, Ballard Spahr Law Firm, Washington DC, Business and Finance Law Attorney
Of Counsel

Kim Phan writes and speaks frequently about privacy and data security issues for a variety of industries, including consumer financial services, retail, hospitality, higher education, and utilities. Ms. Phan counsels clients on privacy and data security law in areas including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA), and other federal and state privacy and data security statutes and regulations. Her work in this area encompasses strategic planning and guidance for companies to incorporate privacy and data security considerations throughout product development, marketing, and implementation. Ms. Phan also assists companies with data breach prevention and response, including establishing effective data security programs prior to a breach and the assessment of breach response obligations following a breach.

Ms. Phan has also done extensive e-commerce and mobile counseling with clients, including adapting an augmented reality mobile game for a retail client, conducting online behavioral advertising assessments of websites in order to update and enhance website privacy policies, and establishing employee training on social media interactions with consumers.

202-661-2286
Katie Moorehead Cybersecurity Attorney Ballard Spahr
Associate

Katie Morehead focuses her practice on cybersecurity and privacy matters. She leverages her background in computer science to help clients bridge the gap between legal requirements and technical specifications. Katie works with clients to identify privacy gaps in current data collection practices, map data flows, and create inventories of consumer data to facilitate compliance with the California Consumer Privacy Act (CCPA). Katie also advises on the General Data Protection Regulation (GDPR) and assists clients by creating compliant privacy notices, internal privacy policies, and privacy...

202.661.7630