Following a yearlong investigation triggered in part by the Cambridge Analytica incident, the Federal Trade Commission (FTC) has announced a much anticipated settlement with Facebook, Inc. The Commission determined that the company violated its existing 2012 FTC Order by “deceiving users about their ability to control the privacy of their personal information.” The settlement imposes a record-breaking $5 billion penalty, the largest ever for a consumer privacy violation, restricts Facebook’s business operations, and requires structural changes intended to hold the company and its executives accountable for how the company handles their users’ privacy. To announce the settlement, the FTC held a lengthy press conference that expounded on the Commission’s decision to settle with Facebook and briefly touched on what the settlement means for other companies that handle users’ information. To help understand what this all means, ZwillGen’s FTC team leaders have responded to pertinent questions below.
Q: What is so significant about the order?
The size of the fine is the first and most-striking part of the settlement. The five billion dollar fine, which the FTC described as representing almost a quarter of (23%) Facebook’s total profit in 2018, is larger than any fine imposed by the U.S. government for any violation, not just consumer privacy, or by the E.U. as a result of the General Data Protection Regulation (GDPR). Second, the Order imposes potentially significant structural changes on Facebook, which will have an additional monetary impact as well as an organizational one. For instance, the Order requires the designation of an independent privacy committee that must be appointed by an independent nominating committee. Practically, this may reduce the influence that the CEO, Mark Zuckerberg, or other top executives can have on decisions made about users’ privacy.
Q: What did Facebook do wrong, according to the FTC?
According to the FTC’s complaint, Facebook violated the previous 2012 Order and Section 5 of the FTC Act by “failing to protect consumers’ privacy.” The complaint accuses Facebook of failing to supervise third-party ad developers, activating a facial recognition feature without users’ consent, and misleading consumers on the effectiveness of privacy controls, especially the “friends only” privacy setting which included not only a user’s friends, but also any third party app that the “friend” had accessed. With respect to new violations of Section 5, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” the FTC alleges that Facebook took user phone numbers for security verification but then also used them for advertising without providing notice or obtaining consent.
Q: What do you make of the 3-2 vote on the order?
The split vote here demonstrates that two Commissioners wanted to either continue the investigation or obtain greater relief in a settlement. Importantly, this means that in other circumstances, particularly where the fine is not so great, the Commission may demand more relief and name executives.
Specifically, the two dissenting Commissioners, Rohit Chopra and Rebecca Slaughter, expressed concern that for a large company with tremendous market share, the fine and structural requirements will not be adequate to deter Facebook from future violations and may not impact other companies’ behavior in the marketplace. They expressed concern with the release of liability for other potentially unknown violations of the 2012 Order. Both dissenting Commissioners believed the Commission should have held officers (e.g., Zuckerberg and Sandberg) individually liable to modify their behavior and send a message to other executives. Commissioners Chopra and Slaughter pointed out that the agency often names individual defendants in cases against small companies, but does not for large, publicly traded companies, and expressed concern that the independent committee serves a paperwork function and would be relatively powerless.
Q: How do the new structural changes work?
The Order is chock full of new measures Facebook must take to remain in compliance. Some are tried and true solutions from prior FTC Orders, such as requiring biennial independent privacy program assessments, and some are newer solutions designed to put speed bumps into Facebook’s effort to “move fast and break things” (a Zuckerberg comment that the FTC used as justification for its institutional reforms).
First, the FTC required Facebook to form an Independent Privacy Committee, made up solely of Independent members of the Board of Directors, who meet certain baseline knowledge and experience requirements. The FTC tasked this committee with supervising Facebook’s privacy program and the company’s compliance with the Order. Second, the FTC required that Facebook create an Independent Nominating Committee with the sole authority to recommend the appointment of candidates to Facebook’s Board, and to put Directors on or remove them from the Independent Privacy Committee. Third, Mark Zuckerberg (or his successor) and the Executive in charge of compliance must sign off on Facebook’s compliance reports, exposing them to possible personal liability. And finally, Facebook has to report any unauthorized sharing of user data of 500 or more people to the FTC within 30 days of discovery.
These changes, while attacked by the dissenters as not going far enough, nevertheless impose an unprecedented number of structural safeguards into the corporate activities of Facebook. The changes even go so far as to fundamentally change how Facebook appoints Board members and assigns their duties. But, at the end of the day, the changes still require Facebook to govern itself, a fact that has caused some of the most serious objections. From our vantage point, however, structural changes like these are significant and not mere paper-pushing requirements, provided that the individuals appointed to the relevant positions take their jobs seriously.
Q: Does this mean that other companies should form a privacy committee, and if so, at what level?
Not necessarily, but possibly. Introducing this type of independent oversight committee – and at this organizational level – is a unique requirement due to the circumstances here. That said, the FTC has undertaken a marked increase to create greater accountability on privacy and data security issues for management and senior executives, including by including executives as individually liable on orders and requiring officer level certifications. We would expect to see more scrutiny of management and executive attention to and involvement in privacy issues. Whether companies achieve this prioritization by designating a high level privacy compliance officer that reports to the C-suite, creating a privacy committee, or through some other mechanism, the key to mitigating risk is likely to show that privacy issues are taken seriously at all levels of the organization through an institutional process and not just mission statements or hortatory remarks. Demonstrating there are built-in mechanisms that exist to check overzealous product teams is increasingly important, given this settlement.
Q: During the press conference, the FTC said that this settlement contains two really important messages. First, that the “price of privacy violations just went up.” Second, that companies should consider whether to elevate privacy concerns to the board level or at least upper level management. What else should people take away?
Marc Zwillinger: The violations all stem from what Facebook allowed developers to do on the platform. The company made certain representations about what consumers could control, but the FTC alleged that the permissions for developers were inconsistent with those representations. Many companies provide access to data streams to various third-party partners. This settlement suggests that companies will be held accountable to ensure that their representations are true as applied to all third parties (at least those who are not the company’s service providers).
Stacey Brandenburg: This settlement is another step toward privacy becoming a more highly regulated area. This Order sets forth a significant and much more diverse framework of steps that Facebook must take to guard against future privacy violations. Not all companies need to implement these same procedures, but the FTC’s articulation of them establishes more prescriptiveness about how to handle user data. And, with the clear message that accountability will occur at all levels of the organization, the consequences of non-compliance are greater.
Kandi Parsons: The days of unfettered collection and use of personal data are over. Critics have contended that $5 billion is just the cost of doing business for Facebook, but that type of fine will make companies – big and small – take notice. Beyond this case, the FTC’s recent actions have imposed corporate structural relief and whistleblowing provisions, hefty fines and have included individual officers, and legislatures around the world have enacted rigorous privacy laws (e.g. GDPR and CCPA). Finally, users have a better understanding of the how the data ecosystem works. The risks business now face include meaningful enforcement from a diverse set of regulators, potential private class actions, reputational impacts, and loss of business partners. These risks need not stifle innovation but can be mitigated by socializing and implementing privacy by design across the company.