Every Company’s Lessons from the FTC’s Facebook Settlement

By Michael A. Shapiro, Esq., CIPP/US/E, Attorney with XPAN Law Group, LLC

Last month’s Federal Trade Commission settlement with Facebook was met with mixed reactions.  While the Commission hailed it as “record-breaking and history-making,” some critics derided it as amounting to a little more than a slap on the wrist.  Although the headlines focused on the $5 billion amount of the penalty, it is the non-monetary terms of the settlement that might prove to be the most consequential for the industry. 

The FTC originally charged Facebook, in 2011, with several privacy-related violations, including that Facebook allowed users to choose settings that purportedly limited access to their personal information just to their “friends” without adequately disclosing that another setting allowed their information to be shared with developers of third-party applications used by the “friends.” In essence, a form of “shadow” collection and sharing of personal data.  In 2012, Facebook reached a settlement with the FTC that, among other things, prohibited the company from making representations about privacy or security of consumer information, prohibited Facebook from misrepresenting the extent to which it shared personal data, and required it to implement a reasonable privacy program. 

In March of 2018, the FTC began investigating Facebook for a possible violation of the 2012 settlement following a disclosure that a political consulting firm Cambridge Analytica harvested personal information of 87 million Facebook “friends” of the individuals who used a third-party survey application.   

According to the July 2019 Complaint, Facebook breached the terms of the 2012 settlement as it continued to engage in the same deceptive conduct with respect to third-party developers’ collection of data.  In addition, the FTC alleged that Facebook failed to vet third-party developers before granting them access to consumer data; used personal information purportedly collected for security measures for advertising; and deceived consumers into believing that they had to affirmatively consent to allow the use of facial recognition software on their pictures (prior to the settlement, that setting was turned on by default for tens of millions of users).  

The 2019 Consent Order includes a number of injunctive provisions, in addition to the monetary penalty.  The $5 billion amount of the penalty, which has been criticized as insufficient given Facebook’s multi-billion dollar profits, represents about  9% of the company’s 2018  revenue.  By contrast, the highest penalty contemplated by the EU’s GDPR amounts to only 4% of the annual revenue.  See Art. 83.   To date, the biggest penalty imposed under the GDPR is the £ 183 million fine on British Airways for last year’s security breach (which equates to about 1.4 % of British Airway’s 2018 revenue). 

In addition to specific changes to its practices, the settlement requires Facebook to implement a comprehensive privacy program that promotes independence of privacy-related decision-making and operations as well as accountability.  For example, Facebook is now required to conduct regular privacy risk assessments in each area of its operations and implement safeguards that control for the material risk identified in those assessments. In addition, Facebook must undertake privacy risk assessments prior to implementing new or modified products and services and produce Privacy Review Statements accounting for corresponding risks and safeguards. These requirements align well with those under the GDPR. See Arts. 25 and 35.  

The Facebook’s Board of Directors will be required to appoint an Independent Privacy Committee which will be briefed on material privacy risks and issues at the company and have approval-removal authority over company’s privacy compliance officers and independent third-party assessor.  The compliance officers will be responsible for carrying out a day-to-day privacy program, documenting all privacy-related decisions, providing periodic reports to the third-party assessor and the CEO, as well as certifying compliance to the FTC. In addition, a third-party assessor appointed with the FTC’s approval will provide an independent evaluation of Facebook’s privacy practices every two years.  

In the absence of a federal consumer privacy legislation, the U.S. companies should look to the FTC’s Facebook settlement as a persuasive precedent in developing their privacy programs.  For example, in light of the settlement, companies should consider structuring their compliance programs to afford privacy officers a certain degree of independence within their corporate structure. This notion is already embodied in the GDPR, which provides that Data Protection Officers cannot receive instructions from organizations regarding exercise of their tasks and cannot be dismissed or penalized for performing these tasks. See Art. 38(3).  

In addition, privacy and data protection accountability processes should be incorporated at all organizational levels. They should include regular privacy and regulatory impact assessments and thorough documentation of all corresponding processes and decisions. It is also clear that the FTC expects privacy to be a C-suite priority for any organization that collects and processes personal data.  Thus, privacy compliance programs should incorporate reporting and accountability mechanisms that keep company’s executives invested in the compliance process. 

Even though there are still serious concerns over Facebook’s practices with respect to collection, usage, and sharing of personal data, some of these issues need to be addressed by a future federal legislation and steeper financial penalties to incentivize good privacy practices.  In the meantime, companies large and small should assess and calibrate their privacy compliance programs in light of the Facebook settlement terms. Because, in data privacy and cybersecurity, luck favors the prepared!

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.