On July 24, 2019, the Federal Trade Commission (FTC) filed a complaint and stipulated consent order against Facebook, the social networking site.
The FTC filed the complaint after investigations revealed that Facebook was not complying with a 2012 FTC order to stop misrepresenting the extent to which users controlled their privacy settings; and that Facebook was engaging in new unfair and deceptive privacy practices not previously identified in the 2012 matter.
The complaint recounts Facebook's business practices which led to the 2012 order – namely, that Facebook shared personal information not only with users' "friends" but also with the third-party app developers whose apps were downloaded by such friends – and alleges that Facebook permitted such practices to continue through 2018 for a select few "whitelisted" developers. Further, the complaint alleges that Facebook failed to maintain reasonable privacy safeguards as it had promised to set up in the 2012 order, maintaining instead a lax policy that granted app developers access to user data without undergoing any sort of vetting, requiring only a promise to adhere to Facebook developer guidelines, and allowing financial benefit to steer favorable enforcement practices.
The FTC also found that Facebook used deceptive wording in its data policy which suggested that facial recognition technology used to tag people in user-uploaded photographs would only be used if users opted into the feature, when, in reality, tens of millions of users would have to opt out of the facial recognition feature.
The complaint also alleges a new violation of Section 5(a) of the FTC Act – namely, that Facebook deceived users by using the phone numbers given for two-factor authentication for targeted advertising purposes, a practice which, according to the FTC, was not made clear to affected users.
The FTC order imposes new penalties and requirements on Facebook
In addition to requiring Facebook to cure the violations of the 2012 order, and to create a comprehensive data security program, the new Stipulated Order for Civil Penalty, Monetary Judgment, and Injunctive Relief (FTC order) imposes a number of new penalties and requirements on Facebook, in addition to curbing the influence of CEO Mark Zuckerberg over the company's data practices.
The FTC order imposes $5 billion in civil penalties for the violations of the 2012 order. The order also sets up a new oversight regime and a system of checks on Facebook's business arrangements with respect to privacy. It creates an independent privacy committee within the existing board of directors tasked with overseeing privacy practices, removing and replacing privacy officers where necessary, and meeting with an independent privacy assessor on a quarterly basis to assess material privacy risks. The committee must remain independent, meaning that Facebook management cannot be members of the committee.
Additionally, Mark Zuckerberg must personally certify to the FTC on a quarterly basis that Facebook is in compliance with the order, subject to civil and criminal sanctions if misrepresentations are made.
The complaint and FTC order do not come without criticism. The FTC voted to refer the complaint and stipulated order 3-2, with both nay-voting commissioners publishing their dissents and the FTC chairman defending the order on the basis that it provides swifter and likely stronger relief than the Commission would have obtained had it brought contempt proceedings against Facebook.
Learn more by contacting any of the authors or your usual DLA Piper lawyer.
You may also enjoy our related alert, "FTC announces Cambridge Analytica settlement."