Facebook, Inc. will pay a record-breaking $5 billion penalty, and submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, to settle Federal Trade Commission charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information.
FTC settlement imposes historic penalty, and significant requirements to boost accountability and transparency
Highest Penalties in Privacy Enforcement Actions:
- $148 million States vs. Uber,
- $230 million British Authority vs. British Airways (proposed),
- $275 million CFPB and States vs. Equifax,
- $5 billion FTC vs. Facebook.
(Source: Federal Trade Commission. FTC.gov)
The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. It is one of the largest penalties ever assessed by the U.S. government for any violation.
The settlement order announced today also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
“The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information,” said Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division. “This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness.”
More than 185 million people in the United States and Canada use Facebook on a daily basis. Facebook monetizes user information through targeted advertising, which generated most of the company’s $55.8 billion in revenues in 2018. To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through Facebook’s privacy settings.
Following a yearlong investigation by the FTC, the Department of Justice will file a complaint on behalf of the Commission alleging that Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order. These tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook “friends.” The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.
In addition, the FTC alleges that Facebook took inadequate steps to deal with apps that it knew were violating its platform policies.
New Facebook Order Requirements
To prevent Facebook from deceiving its users about privacy in the future, the FTC’s new 20-year settlement order overhauls the way the company makes privacy decisions by boosting the transparency of decision making and holding Facebook accountable via overlapping channels of compliance.
New Facebook Privacy Compliance System – A multilayered incentive structure of accountability, transparency, and oversight – Source: Federal Trade Commission. FTC.govThe order creates greater accountability at the board of directors level. It establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.
The order also improves accountability at the individual level. Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO or Facebook employees. Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.
What to Do When You’ve Been Hacked?
Contact LIFARS.com Cyber Incident Response Team immediately