On Friday, April 23, the United States District Court for the District of Columbia approved Facebook’s $5 billion settlement with the Federal Trade Commission, nearly 10 months after the FTC had announced it in July 2019. The settlement is the largest penalty in history for a violation of consumer privacy, the largest obtained by the FTC, and the second largest in any context.

The settlement stems from allegations that Facebook violated a FTC 2012 settlement order, which prohibited Facebook from making misrepresentations about the privacy and security of consumers’ personal information including, for example, the extent to which it shares personal information with third parties. The FTC alleged, among other things, that Facebook violated the order by deceiving users when Facebook shared the data of its users’ friends with third-party app vendors, even when those friends had set more restrictive privacy settings. The FTC further alleged that Facebook misrepresented users’ ability to control the use of facial recognition technology with their accounts and engaged in a deceptive practice when it collected users’ phone numbers to enable two-factor authentication without disclosing that Facebook would use those numbers also for advertising purposes.

In addition to the $5 billion that Facebook is forced to fork up, the settlement imposes new and noteworthy restrictions on Facebook’s business operations and creates “multiple channels of compliance.” To that end, the settlement requires Facebook to:

  1. Restructure its approach to privacy from the corporate board-level down and establish new mechanisms to keep its executives accountable for the decisions on user privacy. CEO Mark Zuckerberg, who is now stripped of his control over privacy decisions along with certain compliance officers, is required to submit quarterly and annual reports to ensure compliance with the FTC order. Any false certification may subject them to individual civil and criminal penalties.
  2. Form an independent third-party privacy committee to advise its board of directors when it comes to user data and use of personal information.
  3. Work with a compliance assessor, reporting directly to the independent committee, who will evaluate the effectiveness of Facebook’s privacy program and identify any gaps.  The assessor’s evaluation will be based on independent fact-gathering, sampling, and testing, and may not rely on mere assertions or attestations by Facebook management.
  4. Conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy.
  5. Document incidents when data of 500 or more users has been compromised and its efforts to address such an incident and deliver this documentation to the FTC and the compliance assessor within 30 days of Facebook’s discovery of the incident.

The settlement also imposes several new privacy requirements on Facebook including, for example, exercising greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies; refraining from using telephone numbers obtained to enable security features; and providing clear and conspicuous notice of use of facial recognition technology, and obtaining affirmative express user consent before any use that materially exceeds its prior disclosures.

As we previously discussed in 2007 for data security standards and recently, evaluating FTC enforcement actions can provide a roadmap for businesses seeking to mitigate their own privacy and data security risks. Moving forward, it would not be surprising to see the FTC expect requirements that are similar to those included in this settlement of other organizations. Some of the common areas that in-house counsel can evaluate potential risk, as highlighted by this enforcement action, include: (1) program oversight (i.e., accountability); (2) data use rules; (3) data usage monitoring; (4) third-party vendors and partners; and (5) employee and user education. Compliance should work with the appropriate teams in-house (marketing, business, IT, etc.) so that gaps can be identified and appropriately resolved using the FTC actions as a sounding board. One thing has always been clear: it is imperative to stay proactive in responding to potential threats and maintain defensible security plans when it comes security measures.

Just as the California Consumer Privacy Act (“CCPA”) provides defenses to the claims which survived in In re: Facebook Inc. Internet Tracking Litigation, CCPA compliance also would provide defenses to the claims settled with the FTC. For more information, see our article published in Law360, Calif. Privacy Law Takeways From 9th Cir. Facebook Case.