Facebook Inc will pay a $5 billion penalty to the Federal Trade Commission and to adhere to restrictions and a modified corporate structure to hold it accountable after it was found guilty of violating a 2012 FTC order.
Federal Trade Commission imposed the penalty and restrictions after Facebook deceived users about their ability to control the privacy of their personal information on several occasions.
The $5 billion penalty against Facebook is the largest ever and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.
FTC requires Facebook to restructure its approach to privacy from the corporate board-level down, and establish strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
“The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information,” said Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division. “This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness.”
Facebook monetizes user information through targeted advertising, which generated most of the company’s $55.8 billion in revenues in 2018. To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through Facebook’s privacy settings.
However, the FTC alleges that many users were unaware that Facebook was sharing such information and did not take any steps to protect themselves or opt-out.
Facebook repeatedly used deceptive disclosures and settings and these tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook “friends.”
FTC also too actions against data analytics company Cambridge Analytica, its former Chief Executive Officer Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, for using false and deceptive tactics to harvest personal information from millions of Facebook users.
To prevent Facebook from deceiving its users about privacy in the future, the FTC’s new 20-year settlement order overhauls the way the company makes privacy decisions by boosting the transparency of decision making and holding Facebook accountable via overlapping channels of compliance.
The order creates greater accountability at the board of directors level. It establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.
Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly and annual certifications or face individual civil and criminal penalties.
Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy. The order also requires Facebook to document incidents when data of 500 or more users has been compromised and its efforts to address such an incident, and deliver this documentation to the Commission and the assessor within 30 days of the company’s discovery of the incident.
The settlement stems from alleged violations of the FTC’s 2012 settlement order with Facebook. The FTC alleges that Facebook violated the 2012 order by deceiving its users when the company shared the data of users’ Facebook friends with third-party app developers, for not screen the developers or their apps before granting them access to vast amounts of user data and misrepresenting users’ ability to control the use of facial recognition technology under the “Tag Suggestions” which was turned on by default.
The order covers WhatsApp and Instagram.
