Share with your friends
man looking at phone

The Facebook $5 billion Landmark Settlement The Facebook $5 billion Landmark Settlement

While the 2019 Facebook settlement - following the Federal Trade Commission’s (FTC) $5 billion civil penalty for violations of a 2012 order - may not have made the headlines across the globe, its magnitude is historic and will reverberate across many sectors and geographies for years to come. However, it is not just about the mind-boggling size of the penalty (at a moment in time when European data protection authorities seem to be rather conservative in their sanctions), but about the organizational and cultural shift it imposes on Facebook. Undoubtedly, the unprecedented penalty has ensured the attention of companies, and hopefully it will also trigger some much needed soul-searching that will result in a re-shaping of current privacy practices. Here’s why. 

facebook case graph 1


Starting from the beginning: what motivated this historic case in the first place? For this, we need to go back to 2012 when Facebook was charged with eight privacy violations by the FTC concerning, but not limited to, “deceptive claims about consumer’s ability to control the privacy of their personal data”[1].

In an agreement to settle the case, as well as being required to implement a reasonable privacy program, Facebook was prohibited from making misrepresentations about:

—   the privacy or security of personal data;

—   the extent to which consumer information is shared.

In short: the company was faced with honoring the privacy preferences of its consumers or risking an order enforcement action. According to the FTC, Facebook did not meet the requirements of the agreement and de facto misrepresented the extent to which account holders could control the privacy of their personal data.

The official complaint, in which the FTC alleges that Facebook violated its privacy promises to consumers and subsequently violated the 2012 Commission order, details the ways in which Facebook failed to meet the requirements. For instance, despite offering services such as “Privacy Shortcuts” and “Privacy Check-up” - claiming to limit the access to the user’s personal data through enabling them to manage their privacy settings by, for example, limiting access to just their friends on Facebook - Facebook nonetheless provided access to companies that developed apps used by the user’s friends. Subsequently, information pertaining to the user’s relationships status, work history, religious, and political convictions, as well as their photos and the videos they watched were captured and shared with third parties. Moreover, the settings offered by Facebook to guarantee the privacy preferences of the users were not easily accessible or in the proximity of the section in which consumers were supposedly able to “review and edit the privacy of key pieces of information” . Instead, these settings were stored in a place that was much less obvious.

A New Day for Privacy at Facebook

As mentioned, this settlement is about more than just the money - it goes deeper as it resets the way Facebook has been dealing with privacy to date and, considerably limits the powers of its key figure and founder, Mark Zuckerberg, as regards decision-making on privacy matters.

In addition to having to implement a rigorous program to monitor third-party developers, Facebook must put in place a comprehensive data security program in order to protect consumers’ privacy. Importantly, these programs must also cover companies controlled by Facebook, including Instagram, WhatsApp, and other Facebook-owned affiliates that receive information about its consumers up until 2039.

facebook case graph 2

The FTC order re-writes the privacy map of Facebook by setting up an Independent Privacy Committee as a subgroup to Facebook’s Board of Directors. Importantly, Mr. Zuckerberg, along with Facebook officers and staff are ineligible for membership. The mandate of the Committee includes briefings about all material privacy risks, as well as the right to approve and remove designated Compliance Officers and the new Third Party Assessor.

At the operational level, designated Compliance Officers will implement the Facebook privacy program. This includes documenting each and every material privacy decision and providing this documentation to the third party assessor and the CEO every quarter. Additionally, the compliance officers will have to certify for the FTC that Facebook is fully compliant with the privacy program. Failing to do so will activate closer oversight by the FTC. The Committee will also meet with the Third Party Assessor (“the Assessor”) without Facebook each quarter.

The Assessor is responsible for monitoring and will be conducting independent evaluations of Facebook’s privacy practices every two years.

As mentioned, Mr. Zuckerberg’s role will also change dramatically. As the CEO of the company, he will receive the written privacy program and quarterly reports of privacy decision, and on a quarterly basis, will have to certify that Facebook complies with the privacy program - an untruthful certification could result in civil or criminal penalties. 

Mr Zuckerberg has no say in the appointment or removal of the Assessor and the Compliance Officers (this lies with the Committee), and no control over the Committee.

As for the regulator - the FTC - it will have unmatched access to Facebook’s privacy decisions and, upon request, copies of the Assessor’s reports. The order also comes with instruments that will facilitate further access into the privacy compliance of Facebook. 

“OK, but we are not Facebook…”

Certainly, many CEOs and Compliance Officers alike will respond to the news of this penalty stating, correctly, that most companies are not Facebook and that this is an extreme case. While this may very well be true, in a data-driven economy dependent on consumer data as fuel, are there really no lessons to be drawn from this precedence?

  • Apart from the obvious – that you should take your regulator seriously the first time around - it is worth considering the fact that this penalty was given in the US, and not on GDPR territory. For trans-Atlantic companies, it is no longer an option to limit privacy programs and effective in-house monitoring to European shores. Privacy matters, regardless of geography. This is only the beginning.
  • For data driven companies wanting to avoid this type of regulatory shock to the system, it would make sense to look at this penalty from a different angle. Instead of reading this as a horror story, how about looking at it as guidance from the regulator? If your company already has a privacy program in place it would be worth considering setting up an oversight committee to function as a sounding board for privacy decisions and as general guidance on data protection and security issues.  Such a committee can be populated by external experts and the internal Data Protection Officer (DPO) only, or by the C-levels and one external subject matter expert to bring a fresh perspective.
  • For all companies, data-driven or not, it is highly recommended to submit to regular assessments against the legal framework in your jurisdiction(s), be it GDPR, CCPA, the PDP Bill, etc. to ensure continuous compliance.  

Connect with us