After months of leaks to the press and rumors of an imminent enforcement action, the U.S. Federal Trade Commission has fined Facebook a record-breaking $5 billion and required the company to implement an "unprecedented" and modified corporate governance structure for violating its 2012 FTC consent decree.
The fine is the highest in the history of global privacy enforcement by a factor of 20, but perhaps more notably, the order requires a detailed data governance framework to ensure Facebook's executive leadership is accountable and transparent about its data practices.
In a statement, FTC Chairman Joe Simons said the penalty and "sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations, but, more importantly, to change Facebook's entire privacy culture to decrease the likelihood of continued violations."
According to Simons during a news conference Wednesday morning, the fine is 9% of the company's 2018 revenue and approximately 23% of its 2018 profit. Facebook generated $55.8 billion in revenue in 2018.
Though the fine is record-breaking, the corporate governance requirements are notable, specific and extensive. The order establishes an independent privacy committee of Facebook's board of directors and removes "unfettered control by Facebook's CEO Mark Zuckerberg over decisions affecting user privacy," according to an FTC news release.
The Wall Street Journal also reports that Facebook is expected to settle with the Securities and Exchange Commission for inadequate disclosures over its privacy practices. The settlement will reportedly include a fine of more than $100 million.
During Wednesday's news conference, FTC Commissioner Noah Philips said the privacy committee members must have experience in compliance and "familiarity with data protection and privacy policies and procedures." Members of the committee must be appointed by an independent nominating committee and can only be fired by a supermajority of Facebook board directors.
Facebook must also appoint compliance officers for its privacy program. They will need approval of the new board privacy committee and can only be removed by that committee. The compliance officers will submit quarterly certifications that it is in compliance with the order-mandated privacy program, along with an annual certification that the company is in compliance. False certifications will subject individuals to civil and criminal liability.
Additionally, third-party assessors will evaluate the effectiveness of Facebook's privacy program and identify gaps. The FTC holds the right to appoint or fire the assessor. The third-party assessor must also report directly to the independent privacy committee each quarter.
The order, which also covers Facebook-owned WhatsApp and Instagram, requires the company to conduct privacy impact assessments of every new or modified product, service or practice prior to implementation, and each assessment must be documented. The compliance officers will also create quarterly reports that will be shared with the CEO and the third-party assessor. And any incidents that affect 500 or more users must be documented and disclosed within 30 days of discovery.
"This is a watershed moment in privacy enforcement and corporate governance," Commissioner Phillips said. "Management and governance matters."
"This is Sarbanes Oxley for privacy," Phillips said. Passed in 2002, SOX is a federal law that requires extensive auditing and financial regulations for public companies. The passage of the law came in reaction to the Enron and WorldCom financial scandals at the beginning of the 21st century.
"This is Sarbanes Oxley for privacy," Phillips said.
Chairman Simons used the opportunity to once again call on Congress to pass comprehensive privacy legislation that gives the agency more authority. "This settlement is all the more remarkable given the FTC's limited authority. We are not acting pursuant to a comprehensive privacy legislation like the [EU General Data Protection Regulation] in Europe. This is based on a 100-year statute."
FTC Commissioner Christine Wilson said, "Today is a good day for consumer privacy in America." She also called on Congress to repeal the common-carrier and nonprofit exemptions.
Wilson said Wednesday's settlement will set expectations for other businesses.
The order's corporate governance structure is not something that other companies may need, Phillips explained, but he said the settlement sends two messages to other companies.
For one, he said, "The price of privacy violations just went up."
Second, Phillips added, "Paying attention to privacy issues is something companies ought to consider especially on whether to elevate something to the board level."
"Is paying attention to privacy issues something all companies should focus on from an oversight and management perspective?" he asked. "Absolutely."
In a blog post, Facebook responded to the order, saying it "will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we've done in the past."
Facebook CEO Mark Zuckerberg also personally responded to the settlement.
The FTC spent more than a year investigating Facebook after the Cambridge Analytica revelations, and separately, has sued CA and settled with its former CEO and app developer. The agency alleges the Facebook "repeatedly used deceptive disclosures and settings to undermine users' privacy preferences in violation of the 2012 FTC order."
The order also requires Facebook to implement several additional privacy initiatives, including oversight over third-party apps, prohibition of using phone numbers obtained to enable two-factor authentication for advertising, clear and conspicuous notice of and affirmative expressed user consent for its use of facial-recognition technology, implementation of a comprehensive data security program, encrypted passwords, and prohibition from asking for email passwords to other services when users sign up for Facebook's services.
The settlement did not have bipartisan support, however. Democratic Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a dissenting opinion.
Notably, Chopra and Slaughter argue the order "does little to change the business model or practices that led to the recidivism." They also expressed concern that the order let the company off the hook for other unspecified violations, grants immunity for company officers and directors, and that the financial penalty is not proportionate to its alleged illegal practices.
During Wednesday's news conference, the Republican commissioners disagreed. Several in the media questioned why Facebook CEO Mark Zuckerberg was not liable or deposed and why the fine was not higher. Simons suggested Facebook would not have settled under those terms. This again led the FTC chairman to ask for greater authority from Congress.
The U.S. Department of Justice's Gus Eyler, who was also present for the news conference, said Wednesday's settlement is the second-largest penalty from the DoJ "in any context" and that both agencies will enforce the terms. "We will not tolerate further deception," he said.
From a resource perspective, the FTC will prioritize its oversight over the order and will receive support from the DoJ.
The $5 billion will go to the Department of Treasury. Jim Kohm, FTC associate director of enforcement, said, "That pays back the last 25 years of the agency's operations."
Top image is a screenshot from the FTC's news conference announcing the settlement.
If you want to comment on this post, you need to login.