The Federal Trade Commission recently announced that it approved modifications to its 2012 privacy order with Facebook. The FTC voted 3-2 to modify the 2012 Facebook order with the updated provisions included in the 2019 settlement. Commissioners Chopra and Slaughter dissented.
The modifications include provisions that were incorporated in the record-breaking $5 billion settlement in 2019 related to allegations that the company violated its 2012 FTC privacy order by deceiving users about their ability to control the privacy of their personal information
The FTC alleged, amongst other things, that that Facebook violated the 2012 order by deceiving its users when the company shared the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings. In addition, the complaint alleged that Facebook improperly policed app developers on its platform, did not screen the developers or their apps before granting them access to vast amounts of user data, and did not maintain a reasonable privacy program.
In addition, the FTC alleged that Facebook misrepresented users’ ability to control the use of facial recognition technology with their accounts, and that the company violated the FTC Act’s prohibition against deceptive practices when it told users it would collect their phone numbers to enable a security feature, but did not disclose that it also used those numbers for advertising purposes.
The 2019 settlement includes unprecedented restrictions on Facebook’s business operations and creates various compliance channels. However, the 2019 settlement did not permit FTC attorneys to amend the 2012 administrative order with Facebook with the updated consumer protections until the federal court entered its order.
The settlement also includes significant requirements to boost accountability and transparency. It includes modified corporate structure requirements that will hold the company accountable for the decisions it makes about its users’ privacy. It requires Facebook to restructure its approach to privacy from the corporate board-level down. And it subjects executives to meaningful oversight.
Following an investigation, in 2019 regulatory officials alleged that Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of the 2012 FTC order.
Facebook is now required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee. Independent certifications must be submitted to the FTC. False certification can result in individual civil and criminal penalties.
The order also strengthens external oversight of Facebook, according the FTC defense lawyer Richard Newman.
The order enhances the independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps. The assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management.
The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis.
As part of Facebook’s order-mandated privacy program, which covers WhatsApp and Instagram, Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy.
The designated compliance officers must generate a quarterly privacy review report, which they must share with the CEO and the independent assessor, as well as with the FTC upon request by the agency. The order also requires Facebook to document incidents when data of 500 or more users has been compromised and its efforts to address such an incident, and deliver this documentation to the Commission and the assessor within 30 days of the company’s discovery of the incident.
Additionally, the order requires Facebook to exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data. It prohibits Facebook from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising. It also requires Facebook to provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users.
The company must also establish, implement, and maintain a comprehensive data security program. It must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext. Facebook is also prohibited from asking for email passwords to other services when consumers sign up for its services.
On April 23, 2020, Judge Timothy J. Kelly entered the order.
In response, FTC lawyer and Chairman Joe Simons issued a statement on the court’s approval and touched upon “the largest monetary penalty ever obtained by the United States on behalf of the FTC and the ‘second largest in any context.’” Chairman Simons also highlighted that “the conduct relief included in this settlement will require Facebook ‘to consider privacy at every stage of its operations and provide substantially more transparency and accountability for its executives’ privacy-related decisions.’”
Richard B. Newman is an FTC defense attorney at Hinch Newman LLP. Follow him on Twitter @FTC defense lawyer and on Facebook @FTC defense lawyer.
Informational purposes only. Not legal advice. May be considered attorney advertising.