It’s official: The Federal Trade Commission on Wednesday hit Facebook with a ground-breaking $5 billion penalty for privacy violations—but for compliance officers what’s even more significant than the fine is the unprecedented new privacy and corporate governance obligations Facebook must implement, setting new benchmarks for all in the industry to follow.
“The magnitude of the $5 billion civil penalty is unprecedented in global privacy enforcement,” FTC Chairman Joseph Simons said during a press conference. “This penalty is more than 200 times greater than the largest privacy penalty previously imposed in the United States and is more than 20 times greater than the largest fine imposed in Europe pursuant to EU’s General Data Protection Regulation.”
More impactful than the penalty amount is the settlement, through the FTC’s 20-year settlement order, which imposes significant structural reforms on how Facebook must do business moving forward, including greater corporate accountability and more rigorous compliance monitoring. It also creates an “unprecedented” level of transparency for the social media giant’s privacy practices, Simons said.
Specifically, the new privacy regime mandates four different information flows about privacy decisions through multiple internal and external channels of compliance, so that if a breakdown in one or more channels occurs, another channel can identify the problem and fix it, Simons explained. This approach “dramatically increases the likelihood that Facebook will be compliant with the order,” he said.
“This is a watershed moment in privacy enforcement and privacy governance.”
FTC Commissioner Noah Phillips
As part of Facebook’s order-mandated privacy program, the company must conduct a privacy review of each new or modified product, service, or practice before it is implemented and generate what is effectively a privacy impact statement for each one available to each channel of compliance. Designated compliance officers (DCOs) must generate a quarterly privacy review report, which they must share with the CEO and the independent assessor, as well as with the FTC upon request by the agency. The order also requires Facebook to document incidents when data of 500 or more users has been compromised and its efforts to address such an incident and deliver this documentation to the Commission and the assessor within 30 days of the company’s discovery of the incident.
“We’re going to set a completely new standard for our industry,” CEO Mark Zuckerberg touted in a statement in response to the settlement and the structural changes Facebook will be making. “Overall, these changes go beyond anything required under U.S. law today.” Zuckerberg said he supports the structural changes because, “I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.”
FTC targets Cambridge Analytica
The Federal Trade Commission has filed an administrative complaint against data analytics company Cambridge Analytica for allegedly employing deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.
Two of the defendants—app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix—have agreed to administrative orders restricting how they conduct any business in the future, and they must delete or destroy any personal information they collected. Cambridge Analytica has filed for bankruptcy and has not settled the FTC’s allegations.
The FTC alleges Cambridge Analytica, Nix, and Kogan deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their profile data. Cambridge Analytica used this alleged data to train an algorithm that then generated personality scores for the app users and their Facebook friends. The company, Kogan, and Nix then matched these personality scores with U.S. voter records.
In addition, the FTC alleges Cambridge Analytica falsely claimed until at least November 2018 that it was a participant in the EU-U.S. Privacy Shield framework, even though the company allowed its certification to lapse in May 2018. This appears to be a recent enforcement trend by the FTC. The Privacy Shield establishes a process to allow companies to transfer consumer data from EU countries to the United States in compliance with EU law.
The proposed settlement with the FTC prohibits Kogan and Nix from making false or deceptive statements regarding the extent—or the purposes—to which they collect, use, share, or sell personal information. The Commission vote to issue the proposed administrative complaint against Cambridge Analytica, and to accept the proposed consent agreements with Kogan and Nix, was 5-0.
The order further overhauls the way Facebook makes privacy decisions by boosting the transparency of decision-making and holding the company accountable through overlapping channels of compliance. “This is a watershed moment in privacy enforcement and privacy governance,” FTC Commissioner Noah Phillips said during the press conference. “Facebook, under this order, is having to make structural changes to its management, to its corporate charter, and to the selection and operation of its board of directors.”
The specific overlapping channels of compliance that Facebook must implement include:
Establishment of a new board committee focused solely on privacy-related risks. The new board committee creates greater accountability at the board level. Members of the privacy committee must be independent directors with relevant privacy and corporate-compliance expertise and will be appointed by a nominating committee comprised of independent directors. “The function of a committee like this, composed solely of independent directors, is to increase board independence and to improve corporate governance,” Phillips said.
“These corporate governance changes widen the number of people looking at privacy at Facebook, and they elevate the issue of privacy at Facebook,” Phillips said. “To be clear, my view is not that every company should have this structure.” Based on the facts of this specific case, “this is what Facebook needed,” he said.
Privacy committee members cannot be removed by the controlling shareholder under a revised corporate charter. “Members may not be removed for reasons relating to their good-faith actions as privacy committee members, absent an affirmative vote by two-thirds of the voting shares (more than the votes Zuckerberg controls),” the Commissioners explained in a statement. “The privacy committee must discuss with Facebook management the company’s privacy risks and the steps the company intends to take to monitor or mitigate such risks.” The privacy committee must also discuss privacy risks with the independent third-party assessor, both with and without management present.
Designated compliance officers. Facebook must designate compliance officers who will be responsible for its privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO or its employees.
Accountability at the individual level. Under the order, Zuckerberg and the DCOs independently must submit to the FTC quarterly certifications that the company complies with the privacy program mandated by the order and annually certify that it’s in overall compliance with the order. False certifications would subject Zuckerberg and the DCOs to personal liability, including civil and criminal penalties.
Enhanced monitoring oversight of Facebook by an independent third-party assessor and the FTC. Both the assessor and the FTC will have access to Facebook’s documentation of its privacy decisions, including quarterly privacy review reports and the incident reports required by the order. The order also enhances the assessor’s responsibilities, subjects the assessor to evaluation by the independent privacy committee, and gives the FTC the ability both to approve and fire the assessor if these responsibilities are not carried out thoroughly, the FTC said.
New privacy and security obligations
In addition to imposing a new corporate governance structure, the order further imposes significant new privacy and security compliance requirements on Facebook. “As part of this settlement, we’re bringing our privacy controls more in line with our financial controls under the Sarbanes-Oxley legislation,” Zuckerberg explained. “Our executives, including me, will have to certify that all of the work we oversee meets our privacy commitments.”
“Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program,” Zuckerberg added. “We’ve also asked one of our most experienced product leaders to take on the role of Chief Privacy Officer for Products.”
To implement these processes, Facebook will “have to review its technical systems to document any privacy risks and how we’re handling them,” Zuckerberg said. “Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we’re taking to mitigate them.”
Zuckerberg added that he expects these steps “will take hundreds of engineers and more than a thousand people across our company to do this important work, and we expect it will take longer to build new products following this process going forward.”
Among its new privacy obligations, the order requires Facebook to:
- Terminate developers’ access to users’ information if they fail to certify that they comply with Facebook’s platform policies or fail to justify their need for specific user data;
- Enforce its platform terms against app developers solely based on the severity of the violation and without regard to the financial benefit that flows to Facebook from the relationship; and
- Expand its existing privacy program to cover WhatsApp and any Facebook product or service that receives personal information from Facebook or WhatsApp (Instagram, as a part of Facebook, is also covered by the order).
“Moreover, this is the first FTC order to address biometric information, requiring Facebook to get consumers’ opt-in consent before using or sharing such information in ways that exceed prior disclosures and consents,” reads the FTC Commissioners’ statement. Facebook must also establish and maintain a comprehensive data security program—a combination of obligations not imposed by any other FTC order.
The order also specifies data-security obligations related to authentication, access controls, and encryption. For example, Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plain text.
During the press conference, Phillips stressed what broader compliance messages companies should take from the Facebook settlement. “The first message is that the price of privacy violations just went up,” he said. “This is an increased national focus on this issue, and this settlement is an important part of that.”
The second message: “Paying attention to privacy issues is something companies ought to consider whether to elevate to the board level,” Phillips said. “Is that necessarily true for every company? I don’t know. But is privacy an increasingly important issue in which all firms should focus from an oversight perspective? From a management perspective? Absolutely.”