Hello from Portsmouth, New Hampshire.

In privacy news this week, Facebook was a big driver of coverage, with the company receiving both favorable and unfavorable attention. In welcome news for privacy advocates, Facebook introduced a privacy setting that makes opt-in the default for its Face Recognition feature. In addition, Facebook Vice President and Chief Privacy Officer Erin Egan released a white paper this week entitled “Data Portability and Privacy.” Drawing from the Article 29 Working Party’s guidance on the subject, it poses some basic questions about what data portability is, which types of data should be portable, and how privacy should be protected when data is ported, with the aim of “promot[ing] portability by laying out the issues and starting to address hard questions about how portability can be implemented in a privacy-protective way.”

Clouding this rosy picture of Facebook’s progress on the privacy front, however, was another security incident involving the company that occurred this week. A server that was not protected by a password was found to contain hundreds of millions of phone numbers linked to Facebook accounts. The database was discovered by Sanyam Jain, a security researcher with the GDI Foundation, a nonprofit based in the Netherlands.

The FTC made perhaps the biggest splash this week with its “game-changer” settlement with Google and its subsidiary YouTube over violations of the Children’s Online Privacy Protection Act. In the settlement, Google and YouTube were ordered to pay $136 million to the FTC and $34 million to New York in what is now the largest fine imposed under COPPA since the law came into effect in 1998. In fact, the penalty was 10 times greater than all previous COPPA penalties combined, and it eclipsed the $57 million fine imposed on Google by France’s CNIL earlier this year for GDPR violations. As FTC Chairman Joseph Simons explained at a news conference, “For YouTube, and other third-parties like it that serve ads, they can’t market their ability to get child viewers on the one hand, and disavow knowledge that children are using their service, on the other. They can’t rate videos as kid-directed for one purpose, and then say they have no COPPA liability when they collect information from kids watching those videos.”

The FTC also settled complaints against five companies for falsely claiming to be certified under the EU-U.S. Privacy Shield agreement. Each company is prohibited from misrepresenting the extent to which they participate in privacy and data protection security programs, like the Privacy Shield. While no fines were imposed in these consent agreements, violations of these orders in the future can carry civil penalties of up to $42,530 each.

The Citizenship and Immigration Services also made headlines when the Department of Homeland Security reversed a prior ban on creating fake social media accounts to monitor individuals who apply for visas, green cards and citizenship. Electronic Frontier Foundation Senior Investigative Researcher David Maass was quoted in an Associated Press story saying this move “undermines our trust in social media companies and our ability to communicate and organize and stay in touch with people.” This move follows a recent change by the State Department, which began requiring visa applicants in June to submit their social media usernames.

As Hurricane Dorian was spreading northward toward the coasts of the Carolinas, Department of Health and Human Services Secretary Alex Azar declared a public health emergency in Puerto Rico and the states of Florida, Georgia, North Carolina and South Carolina. Alongside this declaration, the HHS issued a 72-hour waiver of sanctions and penalties for certain provisions of the HIPAA Privacy Rule, applicable to hospitals that have implemented their disaster protocol.

I hope all of you in the affected areas have been able to stay safe during this crisis.