Application security, Compliance Management, Privacy

FTC levies historic fine on Facebook for privacy violations

The U.S. Federal Trade Commission today announced that it has penalized Facebook $5 billion as punishment for what it described as deceptive privacy practices, and imposed new restrictions on the social media giant. Facebook likewise announced that it has agreed to the terms of the deal.

In conjunction, the Department of Justice officially filed a legal complaint against Facebook, accusing the company of misrepresenting to consumers the extent to which they could control the privacy of their data and to which Facebook made their data available to third parties.

Meanwhile, the FTC separately announced that it has also submitted an administrative complaint against Cambridge Analytica, the political consulting firm that used a third-party developer's app called GSRApp to glean data from tens of millions of Facebook users without their consent, triggering what became Facebook's most notorious privacy scandal. The agency also confirmed that former Cambridge Analytica CEO Alexander Nix and GSRApp developer Aneksandr Kogan have both, as part of a proposed settlement, accepted restrictions on how they conduct business in the future and agreed to destroy any personal data in their possession.

The Securities and Exchange Commission also imposed its will, announcing its own $100 million fine that Facebook also agreed to, as compensation for misleading investors about the potential for parties to misuse Facebook user data. According to the SEC, Facebook's public disclosures to the financial community portrayed such misuse as a mere hypothetical scenario, when the company was already aware of the developing Cambridge Analytica controversy.

Facebook today addressed the settlement as well in a press release and a company-wide event where CEO Mark Zuckerberg spoke publicly. "This is a new chapter for the company. Privacy is more central than ever to our vision of the future, and we're going to change the way we operate across the whole company form the leadership down and the ground up," said Zuckerberg. "We're going to change how we build products, and if we don't, then we're going to be held accountable for it."

"Overall, these changes go beyond anything required under U.S. law today. The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone," Zuckerberg also said in his own Facebook post.

The penalty the FTC has handed down is the largest ever for a privacy violation, and one of the largest ever doled out by the U.S. government on any company, for any reason.

The DOJ's official complaint asserts that Facebook flouted both a previous 2012 FTC order, as well as the Federal Trade Commission Act with a long history of allegedly misleading statements that falsely downplayed or disputed the social media's vast data collection and sharing efforts. Such efforts include the company's previous practice of providing developers of third-party applications with data on not just Facebook users who downloaded the app, but also users' entire network of Facebook friends, who never consented to data collection of this nature. The DOJ also charged Facebook with a failure to establish and implement a comprehensive privacy program as directed by the 2012 FTC order.

"The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information," said Assistant Attorney General Jody Hunt for the Department of Justice's Civil Division," in a DOJ press release. "This settlement's historic penalty and compliance terms will benefit American consumers, and the department expects Facebook to treat its privacy obligations with the utmost seriousness."

"Despite repeated promises to its millions of worldwide users that they could control how their personal information is shared, Facebook took steps to undermine consumers' choices," said FTC Chairman Joe Simons in an FTC news release. "The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish previous violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations."

Under the terms of its new, 20-year settlement, Facebook must create an independent privacy committee of Facebook’s board of directors outside of Zuckerberg's control, as well as designate compliance officers who will author a quarterly privacy review report and oversee Facebook’s privacy program, which also includes WhatsApp and Instagram.

Additionally, Facebook must conduct responsible oversight of third-party apps, clearly notify users and seek their consent when using facial recognition technology, operate a comprehensive data security program and encrypt user passwords. Moreover, the company will be prohibited from asking for email passwords to outside services or using telephone numbers for advertising purposes if that number was specifically given to enable a security feature.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.