As The Privacy Advisor reported yesterday, the settlement is more than the fine. It's historic in that it will remarkably shift the way Facebook handles privacy at the company, including at the corporate-governance level, in its requirement for an independent privacy committee of Facebook's board of directors.
While last week, stakeholders reacted to the news that the $5 billion settlement was close to finished, it wasn't until the U.S. Federal Trade Commission officially announced the settlement yesterday that the world saw its unprecedentedly broad terms.
In addition to the change at the board level, Facebook must also implement a specific privacy program outlined by the FTC. The order requires the company to conduct privacy impact assessments of every new product or service prior to implementation. It must appoint compliance officers for its privacy program, who will submit quarterly certifications on the company's compliance. Notably, false certifications will subject individuals to civil and criminal liability.
Lisa Sotto, CIPP/US, CIPM, FIP, an attorney at Hunton & Williams, also noting the Equifax settlement announced earlier this week, said, "These last few days have been pivotal for the FTC" and that "these landmark cases usher in a new era for the FTC in flexing its considerable muscle in privacy and data security matters."
What's especially significant to anyone paying attention is the settlement's requirement for board-level involvement on privacy.
"In Facebook’s case, the FTC stressed accountability of the company at the highest level, imposing significant responsibility on the board and suggesting that tone from the top is critical," Sotto said.
Hilary Wandall, CIPP/E, CIPP/US, CIPM, FIP, general counsel and chief data governance officer at TrustArc, said while the fine was headline-grabbing, it's not the most essential part of the news.
"The real significance of this decision in driving organizations to take privacy seriously is not in the huge fine itself, but in the details of the requirements for compliance."
Wandall said the FTC's order is a game-changer, taking "accountability" from being a buzzword in the privacy community, as it has been for 10 years now, and creating a new precedent on what "robust privacy accountability should involve." She pointed to the requirement for oversight by an independent board-level privacy committee, program risk assessments, privacy-by-design reviews and quarterly certifications for Zuckerberg, among others.
"This is the first time we have seen a corollary to the robust level of corporate governance and responsibility, internal controls, disclosures, and board committee independence introduced to protect investors under the Sarbanes-Oxley Act applied to protect consumers in the privacy context, and it is likely indicator of a new era or privacy accountability for organizations that collect, use and share data about U.S. consumers."
FTC Commissioner Noah Phillips likened the settlement to Sarbanes-Oxley during the agency's news conference yesterday. Wandall lauds the idea, promoted by the FTC's order, of looking at corporate responsibility requirements from regulated areas, like the environment, health care, safety and applying how a company embeds privacy into an organization's culture, strategy and decision-making.
"I have seen models like senior management certifications and sub-certifications as well as annual risk assessments and program reviews help drive alignment around privacy within the hierarchy of organizations; however, this new order substantially builds upon what I have seen done voluntarily and sets new expectations for how privacy should be managed well within organizations," she said.
Joseph Jerome, CIPP/US, privacy counsel at the Center for Democracy and Technology, is less impressed with the outcome.
"There's no question that the new Facebook settlement is the furthest that the FTC has gone in trying to place guardrails and restrictions around how a company manages data, and if you come at privacy from a compliance-mindset, there's a lot to unpack in the order," he said. "But let's be clear: The order doesn't really restrict how Facebook uses any of the information it collects, and that has been the ask from privacy advocates and consumer groups for a decade now. Falling back on more and more 'privacy review statements' does not address this issue. The FTC is once again asking us to 'trust Facebook' to do better, but that's not a thoughtful way to police privacy anymore."
But Dan Caprio, formerly of the FTC and now co-founder of The Providence Group, said the settlement is a win, and raised an often-made point that if critics want the FTC to do more, the agency needs more power: namely, a privacy law granting it just that.
“The FTC is a law enforcement agency not a privacy regulator.” He called the FTC’s settlement with Facebook a “home run for privacy and consumers.”
Caprio added that the settlement “is historic, setting the bar very high going forward for companies to value data as a strategic asset. Realizing the constraints of section 5 of the FTC Act, this is an opportune time for Congress to pass a comprehensive privacy bill to give the FTC more authority.”
Chris Zoladz, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, founder of consulting company Navigate, shares some of Jerome's skepticism. He said Facebook executives will now have to demonstrate with action and more than just lip service.
"Can Facebook really change their behavior? I believe they can, but only if they change their culture to make privacy a non-negotiable operating principle and enforce it with military-type discipline," said Zoladz. "Only time will tell if they have the will and commitment to walk the walk."
Then there's the aspect of the order that requires the establishment of privacy "training programs for all employees on at least an annual basis."
Wandall said annual training as a requirement is a well-established best practice in leading organizations, which the order obviously reflects.
"The reality is privacy is complex, data and technology are changing frequently, and unless you have regular reminders of what you need to know and what's new, it is hard for many to remember what is needed."
Zoladz is optimistic but remains skeptical.
He said the requirements on privacy training and the independent privacy committee sound good, but the "reality is that this needs to be substance over form. Will Facebook truly change how they behave and handle personal information? Maybe, but only if there is a culture change and commitment, and maybe a change in some of their leadership and an infusion of external input. Clearly, the current path is flawed and the previous FTC consent decree of independent oversight/reporting has proved meaningless."
It's up to Facebook to prove this time around with the FTC is more fruitful.