Intentional misuse of data just reached the billions.
Facebook's $5 billion fine is nearly 20 times the amount of the largest privacy or data security penalty "ever imposed worldwide," the FTC announced Wednesday. It's "one of the largest penalties ever assessed by the U.S. government for any violation," they said.
Facebook violated a 2012 FTC order by "deceiving users about their ability to control the privacy of their personal information," according to the announcement. While Facebook has a privacy policy for users to agree to ad targeting, it did not have a policy for political ad targeting, as in the Cambridge Analytica case.
Facebook built its business model on the ability to commodify data. The FTC's orders challenges the company's ability to operate as it traditionally has, with more transparency and independent accountability.
The social network essentially had its data privacy standards set by "their most click-happy friend," referring to third parties granted access to private user information, said Gustav Eyler, director of the Department of Justice Civil Division's Consumer Protection Branch, at a press conference Wednesday.
On top of the fine — which is nearly a quarter of its 2018 profits — Facebook has to "restructure its approach to privacy," according to the FTC.
"We have a responsibility to protect people's privacy. We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry," said Facebook CEO Mark Zuckerberg, in a company announcement following the settlement.
Among its edicts, the FTC is requiring Facebook to:
-
Transparently show how it "maintains" consumer's personal data, including how it makes information available to third parties.
-
It must "clearly and conspicuously disclose" what nonpublic user data it shares and to which third parties. The order requires explicit consent separate from existing privacy policies.
-
Facebook must maintain a "comprehensive information security program" to protect personal data, specifically for the collection, storage, transit or use of consumer authentication.
-
It is banned from creating any new facial recognition templates and is ordered to delete existing templates within 90 days of the order, unless users grant privilege outside any existing privacy policies.
-
The social network must establish a comprehensive privacy program within 180 days of the order. Facebook must provide program documentation, including a risk assessment, and appoint a chief privacy officer of product.
-
Facebook is required to establish an Independent Privacy Committee, "consisting of independent directors, all of whom meet the privacy and compliance baseline requirements."
-
The company must conduct "initial and biennial" assessments of the mandated privacy program, performed by "qualified, objective independent third-party professionals." Facebook has to inform the FTC who is conducting the assessments.
Facebook nominated Michel Protti, VP of partnerships product marketing, to the chief privacy officer role shortly after the FTC announced its settlement, though it requires approval from the Independent Privacy Committee.
What about everyone else?
The FTC is mandating an additional layer of independent oversight for Facebook and its future business endeavors. Committees comprised of independent directors is considered a best practice for corporate governance.
Most NASDAQ companies already have independent nominating committees, according to FTC Commissioner Noah Joshua Phillips, during the press conference.
Facebook, by comparison, is a "controlled company," and is not legally obligated to have an independent board.
As CEO and Chairman, Mark Zuckerberg has the ability to fire other directors without cause as the majority vote. The Independent Privacy Committee would curb Zuckerberg's and other Facebook-employed directors' effect on Facebook's privacy actions.
The FTC's authority is limited, and Zuckerberg remains the controlling shareholder, but his influence is "accordingly diminished" by the order's requirements, said Phillips.
Facebook is more unique than most, if not all, companies in how it pursues user data. "Facebook was not honest about what they were doing and who was viewing its customers' data," Chris Kennedy, CISO at AttackIQ, told CIO Dive in an email.
The FTC's $5 billion settlement was meant to show the price of data privacy violations, so adopting a privacy advocate role "that represents the customer as a stakeholder in the company," could alleviate potential implications, said Kennedy. Having an independent representative to protect customer interests could help prevent many companies from making similar mistakes.
A slap on the wrist
Critics of the FTC's order say it is a glorified paper trail, requiring Facebook to document its privacy practices and not necessarily change them.
The social network, like other companies, flirts with the line of compliance and privacy using dark patterns, which give customers the illusion of data control. Facebook incentivizes its users to engage with the platform more and in return, users offer more of their information for the company to use or sell.
"Facebook makes money from aggregating and selling personal data. They cannot change their model and stay in business," said Colin Bastable, CEO of Lucy Security, in an email to CIO Dive. "They should be paying consumers to use Facebook."
Still, the FTC's authority stops short of making more resounding impacts in data privacy management. The federal agency has called on Congress to grant it more aggressive power beyond the limitations of Section 5 of the FTC. Section 5 gives the agency the ability to pursue privacy and data security cases, but limits the scope of issuing civil penalties on first offenses.
This latest settlement is only meant to remedy the violations the FTC found in this investigation. It does not insulate Facebook from future violations and penalties, including violations of competition.
"Facebook paid the FTC $5B for a letter that says 'You never again have to create mechanisms that could facilitate competition,'" former Facebook CSO Alex Stamos said on Twitter.
Facebook's approximately 2.5 billion-user-strong network means the company "never again needs" data from third parties to grow," Stamos said. "This order doesn't include the word competition or include any balancing tests. It's fantastic for [Facebook]."
The FTC, however, argues that this is not a competitive order. It is solely a response to the violations of the 2012 consumer protection order. The FTC and Department of Justice can go after competition violations.
This particular order from the FTC was not to "vindicate every concern the world has about Facebook," said Simons. This particular order was a not a catch-all for the company's previous infractions, but doesn't rule out the FTC's right to sue for future violations.