Privacy, Application security, Compliance Management

FTC says Facebook broke terms of $5B data privacy settlement

Facebook logo is seen on a smartphone in front of a Meta sign

Meta is once again in the hot seat. This time, the Federal Trade Commission is accusing the social media giant of failing to comply with its $5 billion data privacy settlement with the agency in 2020.

The social media giant is accused of misleading parents about their ability to control who their kids communicate with on the Facebook Messenger app and misrepresenting the access it provided to app developers in violation of two previous FTC orders.

In response, the FTC is seeking to pause the launch of any new products or services by Meta “without written confirmation from the [independent] assessor that its privacy program is in full compliance with the order’s requirements and presents no material gaps or weaknesses.”

The accusations mark the third time the FTC has taken action against the company over alleged failures to protect the privacy of its users. The first complaint was levied in 2011, leading to a 2012 order that banned Facebook from misrepresenting its privacy practices.

However, the FTC found Facebook in violation of the order within months of its finalization after it “engaged in misrepresentations that helped fuel the Cambridge Analytica scandal.” As a result, Facebook agreed to a second order in 2019 to resolve claims it violated the first FTC action.

The order went into effect in 2020 and came with a hefty $5 billion civil penalty and bolstered the company’s required privacy program and gave an independent third-party assessor greater authority in evaluating the effectiveness of the program.

Announced May 3, the FTC’s new action against Facebook claims the company violated the 2020 and 2012 agreements, in addition to the Children’s Online Privacy Protection Act Rule (COPPA Rule).

Facebook is accused of “continuing to give app developers access to users’ private information after promising in 2018 to cut off such access, if users had not used those apps in the previous 90 days” and let those third-party developers access to that user data until at least mid-2020, according to the FTC. 

“Facebook has repeatedly violated its privacy promises,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “The company’s recklessness has put young users at risk, and Facebook needs to answer for its failures.”

The 2020 order required Facebook to conduct a privacy review of each new or modified product, service, or practice prior to implementation and document risk mitigation findings. The company was also mandated to implement greater security for user information, and imposed restrictions for the use of facial recognition and phone numbers gathered for account security.

While the independent assessor satisfied the 2020 requirements, they identified several gaps and weaknesses in Facebook’s privacy program. The Order to Show Cause reveals the breadth and significance of these deficiencies pose substantial risks to the public.

As a result of those findings, the FTC is proposing a ban on Meta profiting from data it collects, including its virtual reality products, from all users under the age of 18. The FTC would also put guardrails on facial recognition technology and add more requirements to its user protections.

Those bans would be part of an update to the 2020 FTC order and would also require Meta to ensure compliance with all FTC orders for which it intends to acquire or merge and “to honor those companies’ prior privacy commitments.”

The proposed new order would also strengthen the privacy requirements of the 2020 order including those tied to privacy review, third-party monitoring, data inventory and access controls, and employee training, along with expanding Meta’s reporting obligations to include violations of its own commitments.

If agreed to, Meta would only be able to collect and use identifying data to provide services or for security. But the company would be barred from profiting off of the information or using it for “commercial gain even after those users turn 18.”

Meta has just 30 days to respond to these allegations that levy these violations occurred from late 2017 until mid-2019. The company is currently defending itself against similar allegations in consumer-led lawsuits over hospital data scraping via its pixel tracking tool.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.