top of page

Facebook Fined $5B by FTC For Privacy Violations

The U.S. Federal Trade Commission (“FTC”) has issued a settlement with Facebook, fining the company a record-breaking $5 billion for committing privacy violations in defiance of its 2012 consent decree. The fine is the highest in the history of global privacy enforcement, and requires extensive reforms to Facebook’s corporate governance structure in order to instill higher accountability and transparency in its privacy practices.

The $5 billion fine is reportedly 9% of Facebook’s $55.8 billion 2018 revenue and approximately 23% of its 2018 profit. “The relief is designed not only to punish future violations,” said FTC Chairman Joe Simons, speaking at a press conference, “but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”

The violations were discovered over a year of FTC investigation into Facebook’s privacy practice, following the Cambridge Analytica revelations. The FTC alleged Facebook “repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of the 2012 FTC order.”

“Today is a watershed moment in privacy enforcement and corporate governance,” said FTC Commissioner Noah Phillips. “The price of privacy violations just went up.” The Department of Justice which agency is also responsible for enforcing the terms of the order, declared the fine to be the second-largest penalty from the Department in any context.

“Is paying attention to privacy issues something all companies should focus on from an oversight and management perspective?” added FTC Commissioner Phillips. “Absolutely.”

The order removes CEO Mark Zuckerberg’s direct control over the company’s privacy decisions, and instead creates an independent privacy committee of Facebook’s board of directors. In addition, the federal agency’s order requires Facebook, and Facebook-owned companies WhatsApp and Instagram, to conduct extensive, privacy impact assessments before any new or modified product, service or practice is implemented. Compliance officers must document each such assessment, create quarterly incident reports and share those reports with the CEO and a third-party assessor. The company is further obligated to disclose privacy incidents that affect 500 or more users within 30 days of discovery.

Stringent privacy initiatives are also mandated to be implemented under the order. These initiatives include an implementation of a data security program, encrypted passwords, greater oversight of third-party apps, affirmative express user consent posted clearly and conspicuously for the use of facial-recognition technology, prohibition of using obtained phone numbers to enable two-factor authentication for advertising, and a ban on asking for e-mail passwords when users sign up for Facebook’s services.

While the FTC currently only has limited authority to issue such fines for unfair or deceptive trade practices, the law of privacy is constantly evolving at the state, federal and international levels. The FTC used the announcement of this record-breaking fine to once again call on Congress to enact comprehensive privacy regulations at the federal level.

As privacy issues become more commonplace and consumers become more and more aware of the risks, it is imperative that companies draft and implement common-sense privacy policies, which comply with federal and state law. California recently passed the California Consumer Privacy Act, which will become the most comprehensive U.S. regulation to date dealing with the collection, storage and use of personal information. Now, more than ever before, it is important that businesses take note of these regulatory requirements and build a privacy plan that protects both its consumers and the business itself from regulatory scrutiny.

Our Attorney Partner, Michael W. Schroeder, is a Certified Information Privacy Professional (CIPP-US), licensed and certified by the International Association of Privacy Professionals (IAPP). We specialize in the creation and implementation of privacy plans and policies for U.S. businesses.

Under current California law, any business that owns and operates a website must have a privacy policy, conspicuously posted on each homepage of their website(s). The FTC can issue fines for any false, misleading, deceptive or mischaracterized statement in a privacy policy. If you do not have a privacy policy, or are unsure if your polices and corporate practices are in harmonization with currently applicable regulations, call our office today at 323-553-1541 to schedule your free consultation with our CIPP-US certified privacy attorney.

About the Author: Michael W. Schroeder, CIPP-US, is a licensed attorney in good standing in the State of California.