The US government has fined Facebook a record $5 billion to settle Federal Trade Commission (FTC) charges that the company deceived users about how it was using their private information. The fine makes few changes likely to impact Facebook’s advertising business, and is the equivalent to a third of its advertising revenue in Q1.
Among the Department of Justice’s new requirements in a 20-year settlement:
- Facebook is banned from using for advertising telephone numbers it obtained from users setting up two-factor authentication.
- Facebook must provide “clear and conspicuous notice” of its use of facial recognition technology, and obtain affirmative express user consent
- It must set up and maintain a comprehensive data security program;
- Facebook must encrypt user passwords
- Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
Facebook had anticipated a fine of between $3-$5 billion.
The penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide, the FTC said today. The Department of Justice said it “expects Facebook to treat its privacy obligations with the utmost seriousness.”
FTC commissioner, Rohit Chopra, was scathing about the settlement, saying: “I voted no.
“It doesn’t fix the incentives causing these repeat privacy abuses. It doesn’t stop Facebook from engaging in surveillance or integrating platforms. There are no restrictions on data harvesting tactics — just paperwork. Facebook gets to sign off on what’s acceptable”, he tweeted today.
“Mark Zuckerberg, Sheryl Sandberg, and other executives get blanket immunity for their role in the violations. This is wrong and sets a terrible precedent”, he added.
The government just announced its proposed settlement with Facebook for its privacy failures. $5 billion sounds like a lot, but the fine print in the settlement has a lot for $FB to celebrate. I voted no. Here’s why.
— Rohit Chopra (@chopracfpb) July 24, 2019
The government says the settlement order imposes “unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance.”
The fine follows a year-long investigation by the FTC into allegations that Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 FTC order to desist.
These tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook “friends.” The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.
Facebook Record Fine – And New Requirements
The FTC’s new 20-year settlement order overhauls the way the company makes privacy decisions and establishes “overlapping channels of compliance.”
It establishes an independent privacy committee of Facebook’s board of directors, removing “unfettered control” by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy, and sets up a new order-mandated privacy programme which covers WhatsApp and Instagram. As part of that plan Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy.
In a related, but separate development, the FTC also announced separate law enforcement actions against data analytics company Cambridge Analytica, its former Chief Executive Officer Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, alleging they used false and deceptive tactics to harvest personal information from millions of Facebook users.
Kogan and Nix have agreed to a settlement with the FTC that will restrict how they conduct any business in the future. With Cambridge Analytica having filed for bankruptcy, the two merely face a prohibition from “making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information”.