On Wednesday, the United States Federal Trade Commission ("FTC") announced a settlement agreement with Facebook concerning Facebook’s alleged violations of a prior consent order it had entered into with the FTC. The settlement will require court approval, but its proposed terms are notable for many reasons, including the issuance of the largest FTC penalty ever for privacy violations: $5 billion. For any company that handles personal data, the settlement’s oversight provisions provide some insight into the FTC’s priorities and can inform privacy practices and governance.
Both the original consent order and the immediate settlement arose from Facebook’s disclosures of users’ personal data and alleged shortfalls in Facebook’s privacy notices. The FTC alleged that Facebook generally failed to supervise developers of apps on its platform and did not adequately vet them before giving them access to large amounts of users’ data. In addition, the FTC alleged that Facebook’s disclosures concerning its facial recognition program were deceptive because they suggested that users needed to opt-in to the feature, even though it was turned on for all users by default. The FTC also alleged that although Facebook introduced privacy-related features such as “Privacy Shortcuts” and “Privacy Checkup,” it failed to disclose that even under the most restrictive sharing settings, Facebook could still share users’ information with the apps of the user’s Facebook friends unless the user changed separate settings in an entirely different interface.
In a statement, the FTC Commissioners who approved the settlement said that “the relief we have secured today is substantially greater than what we realistically might have obtained by litigating, likely for years, in court.” Indeed, the settlement agreement imposes a number of controls over Facebook’s privacy practices and by its terms, these measures will be in place for twenty years. Among these terms are a requirement that Facebook conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy. It also must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users.
The settlement also includes a number of governance measures, including the establishment of an independent privacy committee of Facebook’s board of directors, to be appointed by an independent nominating committee and removable only by a supermajority of the board. Facebook will also be required to designate privacy compliance officers who will be subject to the approval of the new board privacy committee, and can be removed only by that committee, not by Facebook executives or employees.
The settlement also strengthens oversight by an independent third-party assessor of Facebook’s privacy practices and requires the assessor to make quarterly reports to the privacy committee of the board. Finally, the settlement requires that Facebook CEO Mark Zuckerberg and Facebook compliance personnel submit regular certifications that the company is complying with the order, which creates potential liability at the individual level for any violations.
To be sure, the imposition of these measures is a reflection of Facebook’s particular practices and the fact that it was already subject to an FTC consent decree. And virtually no company would voluntarily adopt measures as stringent as the settlement establishes. But for companies not in Facebook’s shoes, these terms still serve as examples of measures that the FTC will view favorably in the event of privacy investigations or enforcement proceedings. If a company eventually suffers a breach or uncovers an inadvertent disclosure or misuse of users’ personal data, a track record of proactive privacy protection will serve it well in any investigation into that incident.
Accordingly, it may benefit companies with no track record of privacy violations to take steps that echo, to some extent, the terms of the Facebook settlement. For instance, they can consider creating an independent line of reporting for privacy personnel, ensuring that a single executive cannot unilaterally dictate privacy practices. They can also establish a structure of privacy reviews for each new and modified form of personal data processing, and they can document the decisions they reach concerning user privacy at these junctures. And they can provide separate and conspicuous notices to users concerning the processing of particularly sensitive categories of personal data such as location information, facial recognition data, or biometric information. These steps are not required under current U.S. federal law (although they do echo some provisions of the European Union General Data Protection Regulation, such as the requirement to appoint a data protection officer and to conduct data privacy impact assessments). Nevertheless, proactively adopting them can position a company well if it needs to defend its practices in light of a breach or unauthorized disclosure of personal data.
Facebook’s agreement to the terms of this settlement with the FTC was an effect of its own practices and prior enforcement proceedings by the FTC. But companies that have never been on the FTC’s radar can still use the settlement as a guide to help develop their privacy programs and position themselves well to address any future incidents.
