As well as handing down its largest fine on record, the FTC wants Facebook to up its privacy game.
Earlier this month, the US Federal Trade Commission (FTC) doled out its largest fine on record to Facebook for the mishandling of user data. Today (24 July), the $5bn fine has been formally announced, along with requirements that Facebook conduct privacy reviews of every new product or service.
The FTC fine comes as a result of years of investigating the Cambridge Analytica scandal and other privacy breaches at Facebook. In particular, the federal agency’s complaint was that Facebook had failed to establish a reasonable programme of privacy protection to which it had committed in 2012.
Among the allegations levelled at Facebook, the FTC said that misrepresentations were made to consumers as to how their data would be shared with third-party apps, and as to how they might be able to control facial recognition technology on the platform. The FTC complaint also alleged that Facebook engaged in new deceptive practices for the collection and use of users’ phone numbers under the guise of security features such as two-factor authentication.
In a statement, the FTC declared the “record-breaking” and “unprecedented” penalty to be a “historic victory for American consumers”.
As well as the $5bn fine, Facebook must comply with new privacy and data security requirements as well as implement “greater corporate accountability, more rigorous compliance monitoring and increased transparency”.
‘The magnitude of this penalty resets the baseline for privacy cases’
Amounting to 9pc of Facebook’s 2018 revenue, some US officials see the $5bn dollar fine as a mere “slap on the wrist”. However, with European regulation seen as a sort of benchmark in matters of data protection, the FTC made the comparison that this fine is more than 20 times greater than the largest GDPR fine to date.
“The magnitude of this penalty resets the baseline for privacy cases – including for any future violation by Facebook – and sends a strong message to every company in America that collects consumers’ data: where the FTC has the authority to seek penalties, it will use that authority aggressively,” the statement added.
Facebook’s new rules
In a post to its website, Facebook’s Colin Stretch said that the terms of this agreement “will require a fundamental shift in the way we approach our work” in “a sharper turn toward privacy, on a different scale than anything we’ve done in the past”.
Facebook is instructed to be more vigilant in identifying and documenting privacy risks, and Stretch compared its revised approach to privacy to its approach to financial controls, “with a rigorous design process and individual certifications intended to ensure that our controls are working – and that we find and fix them when they are not”.
This means that apps and third-party developers that want to mine Facebook user data will have to be certified to do so. Facebook must also obtain clear consent from users for features that make, use or share biometric information, such as facial recognition.
Facebook will also introduce a committee from its board of directors who will meet quarterly and provide oversight on these commitments. An independent privacy assessor will review the programme on an ongoing basis, and report their findings to the board.
‘Where the FTC has the authority to seek penalties, it will use that authority aggressively’
In addition to the FTC agreement, Facebook today settled matters with the US Securities and Exchange Commission (SEC) regarding the disclosure of such data abuses as occurred with Cambridge Analytica to investors.
Facebook agreed to a $100m fine from the SEC and Stretch said the company has already updated disclosures and controls.
Earlier this week, the FTC also announced a $700m settlement with Equifax over a 2017 data breach.