Facebook Settles With Record $5b FTC Fine

The United States and Facebook have settled allegations that Facebook did not uphold its settlement agreement made with the Federal Trade Commission (FTC) nearly a decade prior. At the time, the FTC and Facebook agreed to settle “allegations that Facebook’s information-sharing and privacy practices violated Section 5 of the Federal Trade Commission Act because they were unfair and deceptive.” As part of the settlement, “Facebook committed to maintaining a privacy program and to not misrepresenting the privacy protections it afforded its users.”

The stipulated order requires Facebook to pay a $5 billion penalty, “by far the largest penalty ever won by the United States on behalf of the FTC” and it would have an amended administrative order by the FTC, requiring Facebook to take more measures to protect users’ personal information.  The District of Columbia District Court has granted the consent motion and entered the order as proposed.

Facebook users share personal information, “such as their name, date of birth, hometown, current city, employer, relationship status, political views, photos of minor children, and membership in health-related and other support groups” with the social media giant. Additionally, Facebook users can have third-party apps share information with Facebook. The court states that the “collection and maintenance of its users’ personal information is an essential part of Facebook’s business model. That model monetizes users’ personal information by deploying it for advertising.”

In 2012, the FTC filed an administrative complaint against Facebook for violating Section 5(a) of the Federal Trade Commission Act for its unfair and deceptive acts or practices. These practices include misleading users about their privacy and what information was shared. In August 2012, the FTC and Facebook settled. “Facebook was prohibited from making misrepresentations about the extent to which it maintains the privacy or security of its users’ personal information; the extent to which its users can control the privacy of that information, and how they can do so; and the extent to which it makes its users’ personal information accessible to third parties. Facebook was also required to establish and maintain ‘a comprehensive privacy program that [was] reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [its users’ personal] information.’” Facebook also had to consider future risks and continually monitor the program. The order expires in July 2032, 20 years after the complaint was filed.

The government now alleges Facebook violated the 2012 order by “subvert[ing] users privacy choices to serve its own business interests.” For example, while “Facebook led its users to believe they could restrict who could view their personal information, it allegedly shared that information with third parties without the user’s knowledge.” Facebook shared information with third-party applications and it also “automatically activated certain facial recognition technologies on a subset of about 60 million user accounts and maintained that technology’s activation while telling its users that it would only do so if a user requested it.” Facebook also maintained default settings that did not protect user privacy. Facebook did not assess and screen third-party applications before giving them access to user data and information. Facebook is accused of violating five counts of the 2012 order “by misrepresenting to its users how much control they had over their personal information and how much third-party application developers could access that information…, and by failing to maintain a reasonable privacy program. Facebook and the FTC have reached a settlement for these new allegations.

In addition to the aforementioned fine, the new order imposes an amended administrative order from the FTC. Facebook would also be required to take a variety of corrective steps, including “ceasing its misrepresentation about a host of matters, including its collection, use, and disclosure of its users’ personal information; the extent to which it maintains the privacy or security of that information; the extent to which users can control the privacy of that information, and how they can do so; and the extent to which it makes its users’ personal information accessible to third parties”; “deleting or de-identifying users’ personal information within a reasonable time after a user deletes it or closes her account”; “stopping using telephone numbers provided by users for security purposes for advertising purposes as well”; “obtaining a user’s specific consent before applying facial recognition technology to their account” and “implementing a more robust privacy program, which must include safeguards that apply to third parties with access to a user’s personal information,” among other measures for Facebook to take to remedy the situation. As a result of these action, Facebook will receive a “considerable reprieve from liability.” This order will end in 20 years or 20 years after the U.S. or FTC files that Facebook violated the order.

In response to the court’s approval of the settlement, FTC Chairman Joe Simons stated, “We are pleased with the Court’s decision. As the Court notes, the historic $5 billion settlement is ‘by far’ the largest monetary penalty ever obtained by the United States on behalf of the FTC and the ‘second largest in any context.’ At the same time, the Court also highlights that the conduct relief included in this settlement will require Facebook ‘to consider privacy at every stage of its operations and provide substantially more transparency and accountability for its executives’ privacy-related decisions.’”