Washington, D.C.—On Wednesday, the Federal Trade Commission (FTC) announced Facebook’s agreement to pay $5 billion to settle the voluminous amount of privacy allegations brought against the company.
The FTC’s order specifically addresses Facebook’s alleged mishandling of user’s phone numbers and the platform’s use of two-factor authentication as part of a wide-ranging complaint. This settlement will ultimately end the government’s privacy investigation against the company.
“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company…” —Facebook representative
Breaking Down the 20-Year FTC Settlement
That’s right, you heard it correctly—a 20-year settlement. The FTC settlement order was approved by the FTC’s five-member board by a 3-2 vote. While significantly harsh, the deal does not require Facebook to admit culpability for its alleged mishandling of user information in the Cambridge Analytica data breach—somewhat shocking given the circumstances.
However, considering the courtesy, the FTC is requiring Facebook’s CEO, Mark Zuckerberg to personally certify and stipulate as to the company’s regular digital practices.
- Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
- Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
- Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
- Facebook must establish, implement, and maintain a comprehensive data security program;
- Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
- Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
What You Need to Know About the FTC Settlement
#1 –The Largest Civil Fine Ever Paid to the FTC
This settlement will mark the largest civil penalty ever paid to the FTC by a company.
Previously, the highest fine was $22.5 million against Google for its privacy practices back in 2012. The $5 billion fine against Facebook represents approximately 9% of the company’s 2018 revenue. A small price to pay considering the amount of information involved.
While the FTC’s board has approved the deal, it must still be approved by a federal judge.
#2—The Creation of the ‘Privacy Panel’
As part of the settlement, Facebook has agreed to the creation of a board committee on privacy. Specifically, the FTC order mandates that Facebook create an independent privacy committee on its board of directors to remove “unfettered control” by Mr. Zuckerberg over user privacy decisions, shifting the burden to the company itself and its soon to be newly-created panel.
The members of the privacy board will be nominated by an independent nominating committee and can only be fired by a two-thirds of voting shares, which would prevent Facebook’s CEO from controlling the vote with his share power.
#3—Recurring Certification As to User Privacy
In lieu of Facebook having to admit culpability for its alleged mishandling of user information in the Cambridge Analytica breach, Facebook, via Mr. Zuckerberg, will have to personally certify, along with privacy officers, every three months, that the company is properly safeguarding user privacy.
Outside of Facebook, an independent third-party assessor approved by the FTC, will conduct biennial assessments and report to the new privacy committee quarterly. Facebook must notify the assessor within 30 days of discovering that data of 500 or more users has been compromised.
Other Enforcement Actions
The SEC Settlement
Earlier, the Wall Street Journal reported that Facebook has agreed to pay an additional $100 million to the SEC over allegations that it failed to disclose risks to investors over its privacy practices.
FTC Addressing ‘Facial Recognition’ Issues
According to reports by The Washington Post, the FTC also plans to address Facebook’s facial recognition tool, in which it is alleged that the company provided insufficient information to approximately 30 million users—an issue identified earlier by Consumer Reports.
While Facebook is not the only company having to address such issues with this technology, Congress is finally addressing, for the first time in history, the limits in which facial recognition technology can be utilized and implemented, specifically with respect to landlords and tenants.
At the end of the day, it is important to note that this isn’t about Facebook being “the big bad wolf”—rather, this serves as an example of one of the most trusted and utilized tech companies in the world being forced to take on the role it has yearned for since its inception—a global example of user connectivity.
FTC Goes After Cambridge Analytica
But have no fear, as the FTC also announced today separate law enforcement actions against data analytics company, Cambridge Analytica, its former CEO, Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, alleging they used false and deceptive tactics to harvest personal information from millions of Facebook users.
This is just the beginning as Congress, the FTC, and the SEC have all been forced to address how the biggest U.S. tech companies are utilizing our information and what steps they are required to take in today’s digital age.
This settlement will hopefully bring Facebook back into the public’s graces as a leading tech company that can really connect its users, while ensuring they are protected.
And Facebook agrees, as evidenced by its blog post on Wednesday:
“The FTC agreement is not only about regulators, it’s about rebuilding trust with people.”
“The magnitude of this penalty resets the baseline for privacy cases—including for any future violation by Facebook—and sends a strong message to every company in America that collects consumers’ data: where the FTC has the authority to seek penalties, it will use that authority aggressively.”
–FTC Chairman, Joe Simons and Comissioners, Noah Joshua Phillips and Christine S. Wilson