FTC places $5 billion dollar slap on the wrist to Facebook for privacy violations

Kareem Anderson

In what can be seen as the single largest rebuke the FTC has levied at a company, Facebook will be fined $5 billion and required to make some seemingly significant changes to its level of accountability and transparency regarding privacy restrictions.

Facebook’s new penalty comes amid the fallout from a 2012 FTC violation regarding the company “deceiving users about their ability to control the privacy of their personal information.”

The 2012 order prohibited Facebook from making misrepresentations about the privacy or security of consumers’ personal information, and the extent to which it shares personal information, such as names and dates of birth, with third parties. It also required Facebook to maintain a reasonable privacy program that safeguards the privacy and confidentiality of user information.

Facebook’s norm shattering twenty-year settlement fine also comes with stipulations intended to curb privacy violations from the company, such as an attempt to keep the organization from making sweeping unilateral decisions by creating multiple channels of compliance authorizations, albeit, mostly internal structures. Under the proposed overhaul, Facebook’s would establish an “independent privacy committee of board of directors” that in theory, would mitigate some CEO Mark Zuckerberg’s authoritative decision making.

According to the recently published FTC press release:

As part of Facebook’s order-mandated privacy program, which covers WhatsApp and Instagram, Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy. The designated compliance officers must generate a quarterly privacy review report, which they must share with the CEO and the independent assessor, as well as with the FTC upon request by the agency. The order also requires Facebook to document incidents when data of 500 or more users has been compromised and its efforts to address such an incident, and deliver this documentation to the Commission and the assessor within 30 days of the company’s discovery of the incident.

Additionally, the order imposes significant new privacy requirements, including the following:

  • Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
  • Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
  • Facebook must establish, implement, and maintain a comprehensive data security program;
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
  • Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

On the face of things, these are all admirable concessions the FTC is asking for, but even FTC Commissioner Rebecca Kelly Slaughter and others have pointed out that while $5 billion is a lot of capital for one company, Facebook will ultimately run in a similar version to what it is now with little active oversight from the FTC.

Slaughter believes the current penalty is insufficient due to Facebook’s repeated privacy violations, doesn’t allow much third party enforcing, and still does little to hold Facebook officers accountable. Instead, Slaughter would like to charge Mark Zuckerberg specifically with violations of privacy in an open litigation.

At the end of the day, the FTC finally made a formal complaint with Facebook and won $5 billion back from the company. However, it remains to be seen how effective FTC’s restrictive enforcement holds up over the next few months, let alone, twenty-five years.