FTC confirms USD 5 bln fine and 20-year compliance agreement for Facebook privacy violations

Nieuws Breedband Verenigde Staten 24 JUL 2019
FTC confirms USD 5 bln fine and 20-year compliance agreement for Facebook privacy violations

The US Federal Trade Commission has confirmed a record USD 5 billion fine against Facebook for violating customers' privacy. The regulator also imposed a new compliance regime on the company, valid for 20 years, in order to ensure Facebook and its apps no longer abuse personal data of customers. 

The FTC launched an investigation into Facebook over a year ago, after the Cambridge Analytica scandal broke. The regulator confirmed that the social network had shared user data with third-party apps without proper authorisation, and that data was subsequently used by Cambridge Analytica for elections targeting. The FTC also announced separate law enforcement actions against Cambridge Analytica, its former CEO Alexander Nix, and app developer Aleksandr Kogan, alleging they used false and deceptive tactics to harvest personal information from millions of Facebook users.

Third-party app data sharing

The fine and compliance orders against Facebook are based on violations of an earlier agreement the company struck with the FTC in 2012 to improve its privacy protections. The regulator found that Facebook misled users in the subsequent years over how it continued to share the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings. 

Various changes in the social network's privacy settings suggested to users they were not sharing data, without full disclosure that Facebook could still pass on their details, such as names and dates of birth. Even after saying in 2014 that it would stop the practices, it was not until at least June 2018 that the company stopped sharing friends' data with third-party developers, the FTC said. 

The company was also found to fall short in policing third-party developers in how they used the personal data and lived up to Facebook policies. Enforcement of the policies was not consistent and often linked to how much the company earned in individual agreements. In addition, Facebook misled users about its use of facial recognition technology on the social network and how it used phone numbers not just for security purposes via two-factor authentication but also for advertising purposes.  

Independent privacy committee

The compliance agreement takes responsibility for the violations to the very top of Facebook, targeting its CEO Mark Zuckerberg, who the FTC suggests has too much individual control over the company's operations and user privacy. Facebook must establish an independent privacy committee on its board of directors, with independent members appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.

In addition, the new privacy committee will designate compliance officers who will be responsible for Facebook’s privacy program. The officers can be removed only by that committee—not by Facebook’s CEO or Facebook employees. 

Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.

The order also strengthens external oversight of Facebook. The order enhances the ability of the independent third-party assessor appointed in 2012 to evaluate the effectiveness of Facebook’s privacy program and identify any gaps. The assessor’s biennial assessments of Facebook’s privacy program must be based on independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management. The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC, and the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The FTC can also use its own discovery tools to monitor Facebook’s compliance with the order.

Privacy review of every new product

The order covers not just Facebook but also WhatsApp and Instagram and requires the company to conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy. The designated compliance officers must generate a quarterly privacy review report, which they must share with the CEO and the independent assessor, as well as with the FTC upon request by the agency. 

The order also requires Facebook to document incidents when data of 500 or more users has been compromised and its efforts to address such an incident, and deliver this documentation to the Commission and the assessor within 30 days of the company’s discovery of the incident.

Additionally, the order imposes new privacy requirements within Facebook's service, including the following:

  • Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
  • Facebook is prohibited from using phone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
  • Facebook must establish, implement, and maintain a comprehensive data security program;
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plain text; 
  • Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

The Department of Justice will file a case in federal court in order to implement the order, which must be confirmed by a judge before taking effect. 

More issues surface

Facebook said the agreement "will require a fundamental shift in the way we approach our work", as the company aims to employs privacy controls as strictly as it adheres to financial compliance. It has already made many changes to its operations in the past year, but said the new agreement will take these measures even further. The FTC order will require a full review of its systems, and Facebook warned this process could "surface issues", which it will work quickly to address. 

Already this month, in response to the FTC investigation, it discovered that shortcomings in its systems allowed some partners to continue accessing data to provide Facebook features on their products. The company claims there was no abuse in this case, but the new agreement will help ensure against such risks going forward. 

The company said the new accountability goes beyond current US law and "we hope will be a model for industry". Facebook added that the process "stops at the desk of our CEO, who will sign his name to verify that we did what we said we would".

SEC fine for investor disclosure

Facebook also confirmed a USD 100 million fine from the US Securities and Exchange Commission for failure to adequately disclose to investors the risks from the company's privacy mishaps. In particular, more should of been said to investors about the Cambridge Analytica scandal and how it violated Facebook's policies.  

Categories:

InternetMobiel

Companies:

Facebook

Regions:

Wereld

Countries:

Verenigde Staten

Tags:

Messaging, Regulations, IT - applications, Advertising services

Related Articles

VERENIGDE STATEN 23 DEC 2022

Meta to pay USD 725 mln to resolve US class-action suit over Facebook role in Cambridge Analytica affair

Meta Platforms has agreed to pay USD 725 million to resolve a class-action lawsuit accusing the company of allowing third parties, including Cambridge Analytica, to access the personal data of its users, different media reported, citing a court filing. The proposed settlement brings the company close to resolving the lawsuit that started in 2018, after reports showed Facebook had allowed Cambridge Analytica to access the data of as many as 87 million users.

WERELD 25 JUL 2022

Meta makes new USD 150 mln contribution to Oversight Board Trust

Meta is making a contribution of USD 150 million to its Oversight Board Trust. The money is in addition to the USD 130 million provided in 2019 when the trust was first established. The new contribution is to provide for the board's ongoing support.

VERENIGDE STATEN 16 FEB 2022

Facebook to pay USD 90 mln to settle US privacy suit over tracking cookies

Facebook agreed to pay USD 90 million to settle a decade-old privacy lawsuit accusing it of tracking users' internet activity even after they logged out of the social media website. The proposed preliminary settlement was filed with the US District Court in San Jose, California, and requires a judge's approval before taking effect, Reuters reports. The deal also requires Facebook to delete data it collected improperly.

WERELD 3 NOV 2021

Facebook shutters facial recognition system

Facebook announced it will be shuttering its facial recognition system over the coming weeks, deleting more than a billion people's individual facial template. People who have opted in to the Face Recognition setting, estimated at over a third of Facebook daily users, will no longer be automatically recognized in photos and videos. The company turned face recognition off by default in September 2019, after receiving a fine from the US Federal Trade Commission for privacy violations. 

VERENIGDE STATEN 24 SEP 2021

Lawsuit claims Facebook overpaid FTC fine to protect Zuckerberg

Facebook conditioned its USD 5 billion payment to the Federal Trade Commission to settle the Cambridge Analytica data leak case by asking the agency to ditch its plans to sue Facebook CEO Mark Zuckerberg individually, shareholders allege in a lawsuit reported by Politico. 

EUROPA 2 SEP 2021

WhatsApp fined EUR 225 million for privacy violations in EU

WhatsApp has been fined EUR 225 million by Ireland's Data Protection Commission for violations of the EU's General Data Protection Regulation. This follows an investigation started in December 2018 over whether WhatsApp made it clear how it collects and uses personal data, including disclosing how it shares data with other Facebook companies.

WERELD 7 JAN 2021

WhatsApp updates terms to require data sharing with Facebook

WhatsApp is updating its terms and conditions for both iOS and Android users, including how it processes user data and when it shares this with other Facebook companies. WhatsApp users were informed about the change through an in-app notice telling them about the app's updated mandatory terms of service and privacy policy. They need to accept the changes by 8 February if they want to continue using the app. 

VERENIGDE STATEN 10 DEC 2020

FTC seeks sale of WhatsApp, Instagram in Facebook monopoly case

The US Federal Trade Commission along with 48 states and territories of the US have filed lawsuits against Facebook, accusing the company of illegally maintaining a monopoly in the social networking market. The case centres on the company's takeovers of Instagram and WhatsApp and may lead to Facebook being forced to divest some of its business. Facebook said the regulators were engaging in "revisionist history" by trying to undo acquisitions they had already approved. 

VERENIGDE STATEN 7 OCT 2020

US Congressional report calls for antitrust action against tech giants

A report from a key committee in the US Congress has accused tech giants Apple, Amazon, Facebook and Google of exploiting their significant market power in anticompetitive ways. After over 16 months of investigation, the House Judiciary Committee's Antitrust Subcommittee concluded that Congress and the antitrust enforcement agencies "need to take action that restores competition, improves innovation, and safeguards our democracy". It will be up to the new Congress elected in November to decide whether to ta

VERENIGDE STATEN 16 SEP 2020

US FTC may file antitrust case against Facebook by year-end - report

The US Federal Trade Commission is gearing up to file a possible antitrust lawsuit against Facebook by year-end, people familiar with the matter told the Wall Street Journal. The case would challenge the company's dominant position in social media.

WERELD 20 AUG 2020

US court gives preliminary approval to Facebook settlement of facial recognition suit

A federal court has granted Facebook's request, in a preliminary approval, to settle a lawsuit over the company's use of facial recognition technology. Facebook said it would pay USD 650 million to settle the suit. The company had earlier proposed USD 500 million but the federal judge said the amount was not enough. The order was filed in the US District Court for the Northern District of California. The final approval hearing has been set for 7 January.

VERENIGDE STATEN 8 JUL 2020

Facebook delays launch of Oversight Board to late fall

Facebook has pushed the launch of its Oversight Board to the late fall. The company said its first members were announced in May and that the board is now focused on setting up a new institution.

WERELD 7 MAY 2020

Facebook names members of independent oversight board

Facebook has announced the members of its new Oversight Board. The oversight board will review certain content decisions by Facebook and Instagram and make binding decisions based on respect for freedom of expression and human rights.  

VERENIGDE STATEN 24 APR 2020

US court approves Facebook's USD 5 bln privacy deal with FTC

A US federal court has officially approved the agreement Facebook reached with the Federal Trade Commission (FTC) last July, confirmed the company's chief privacy officer Michael Protti in a blog. The approval concludes the FTC's investigation that began after the Cambridge Analytica scandal surfaced in 2018, leading to a record USD 5 billion for the social networking giant as well as orders to implement a raft of strict new data privacy measures. "With this agreement now in place, executive leaders at the

WERELD 17 FEB 2020

Zuckerberg says social media firms could use some form of regulation

Facebook CEO Mark Zuckerberg gave a speech over the weekend at the Munich Security Conference and acknowledged that social media companies need more regulation and guidance from governments to fight the problem of harmful and false online content, various media reported from the event. He said he supported state regulations in four fields, namely, elections, political discourse, privacy and data portability. "We don't want private companies making so many decision-balancing social equities without democrati

Just In

16:42

SLT-Mobitel launches 5G network in Sri Lanka

16:19

Dialog Axiata launches 5G network, connects 1.5 million subscribers

15:56

UK govt to ban AI-enabled nudification apps to protect women, girls

15:42

3 UK launches last-minute Christmas sale

Commentary

13:56

Video market set for slower growth ahead

11:38

Netflix buys Warner Bros to deepen content catalogue

11:11

KPN's mixed performance in Q3 raises questions for strategy day

15:26

Stock markets breaking records but what happened to Odido's IPO plans?

Background

01:04

The week in telecom: Wi-Fi bolt-ons take off to boost broadband growth, video market works on consolidation

01:39

The week in telecom: Netflix wins bidding for Warner Bros, Apple poaches new execs, Samsung debuts trifold

13:51

Proximus vs. Telenet: Proximus performs better in Q3 while Telenet uses up cash

14:16

Proximus Domestic still struggling with low margins

Complete profile

Before downloading the whitepaper, we would like to ask you to complete your profile with company and position. After confirming you will receive the white paper.