Export Compliance Daily is a Warren News publication.
SEC Also Fines Platform

Facebook Settles With FTC for $5 Billion, Including Independent Privacy Committee

Facebook will pay $5 billion and install an independent privacy committee to oversee data compliance, the FTC announced Wednesday in its long-awaited settlement. The company deceived users about control they have over their data, effectively violating a 2012 consent order, the agency alleged in its complaint. Separately, the SEC fined Facebook $100 million.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

FTC members voted 3-2 along party lines. Officials should have rejected the deal and litigated in court, said dissenting Commissioners Rohit Chopra and Rebecca Kelly Slaughter. At a news conference Wednesday, Chairman Joe Simons and Commissioners Noah Phillips and Christine Wilson defended the historic fine and structural remedies, given limitations of the agency's privacy authority.

If you get yourself in Facebook’s position, this is what you’ll get,” Simons told reporters. The settlement increases odds the company will comply with its new 20-year order, and if it doesn’t, the agency can identify violations faster and has better recourse for stronger penalties, he said. The $5 billion is about 20 times the largest privacy or data security penalty imposed globally, the agency said.

The complaint alleges the platform “shared the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings,” leaving many users completely unaware of the data-sharing. The allegations are central to Facebook’s Cambridge Analytica data privacy breach (see 1804090026).

CEO Mark Zuckerberg said the settlement goes beyond anything required under U.S. law. It “will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone,” he wrote. Company General Counsel Colin Stretch noted the deal “surpasses” U.S. law, saying the agreement is about rebuilding trust. Facebook, which generated $55.8 billion in 2018 revenue, agreed Wednesday to pay a $100 million fine to the SEC for third-party sharing of user data.

Lawmaker Concerns

Some lawmakers expected more from the commission, while others pointed to the steep levy.

House Republicans praised the historic nature of the FTC settlement but said what really matters is the impact new restrictions will have on user privacy. “This order covers a wide range of privacy and data security issues,” said Commerce Committee ranking member Greg Walden, Ore., and Consumer Protection Subcommittee ranking member Cathy McMorris Rogers, Wash.

House Commerce Committee Chairman Frank Pallone, D-N.J., and Sen. Roger Wicker, R-Miss., said in separate statements the settlement highlights the need for comprehensive federal privacy legislation. A privacy law is necessary to strengthen agency authorities and enforcement tools so “violating consumers’ privacy and breaking public trust isn’t just the cost of doing business,” Pallone said. Noting the significance of the fine, Wicker said “without a robust, comprehensive federal privacy law covering data collectors and consumers, bad actors will be able to continue to abuse data in the online marketplace.”

Sen. Josh Hawley, R-Mo., joined Senate Democrats in slamming the settlement as inadequate. The settlement “does nothing to change Facebook’s creepy surveillance of its own users & the misuse of user data. It does nothing to hold executives accountable,” Hawley said. Facebook paid a “mere fraction” of annual revenue for blanket immunity against known and unknown violations, said Sen. Ron Wyden, D-Ore. The FTC sent the message that it’s “acceptable for online giants to beg for forgiveness afterward rather than get permission first,” said Sen. Ed Markey, D-Mass.

The agency had two choices, said Simons: settle on favorable conditions as it did, or litigate for years and risk a weaker resolution. The decision was a no-brainer, Simons said, noting the public receives immediate relief.

The agency should have continued investigating what executives knew and how they profited, said Chopra: “If Facebook failed to cooperate, the Commission had enough evidence to take Facebook and Zuckerberg to trial.” It’s an insufficient penalty, said Slaughter, citing injury, Facebook’s ability to pay and lack of meaningful restrictions on data practices: “My deepest concern with this order is that its release of Facebook and its officers from legal liability is far too broad.” Their offices didn’t comment on why they didn’t attend the news conference.

The settlement relied on a consent order and a 100-year-old statute, not a comprehensive privacy law, Phillips said. Judged by that metric, the agency did an “excellent” job settling, he said. It wasn’t the purpose to vindicate every public concern, he added. Dialogue on other company issues continues, he said. The settlement sends two important messages: The price of privacy violations just went up, and privacy issues are something companies need to consider elevating to the board level.

Wilson echoed Simons, saying Congress should grant the agency civil penalty authority and jurisdiction over nonprofits and common carriers. With civil penalty authority for first-time offenses in 2012, it could have fined Facebook then, Simons noted. The threat of deposing Zuckerberg was leverage for securing the best protection possible, said Enforcement Division Associate Director James Kohm, claiming the CEO now faces bigger risks for future liability.

The agreement requires Facebook establish an independent nominating group to appoint an independent privacy committee. Committee members can be removed only with supermajority support from the Facebook board. The company will designate compliance officers to independently submit quarterly certifications to the FTC to ensure it's complying with its order-mandated privacy program, which also will cover Instagram and WhatsApp practices. The privacy committee will approve the compliance officers, who can’t be removed by company executives. In line with the previous order, an FTC-approved independent assessor will submit biennial assessments to the agency, and it will report to the new privacy board committee quarterly.

Stakeholders React

The deal had its critics and supporters.

The settlement lacks “meaningful change” on how the company collects and uses data and protects Facebook from enforcement on other potentially unknown violations, said Public Knowledge Competition Policy Counsel Charlotte Slaiman. Open Technology Institute Senior Counsel Eric Null also cited lack of “meaningful restrictions” on data collection and sharing practices, denouncing the agreement as ineffective. The settlement allows the company to remake promises “to adhere to its own privacy policy, while reserving the right to change that policy at any time,” said Public Citizen.

The FTC secured a massive fine and established new accountability, said Future of Privacy Forum CEO Jules Polonetsky. It lacks first-offense civil penalty authority and proper investigative resources, he said. Congress needs to grant the agency greater resources and authority, said Consumer Reports CEO Marta Tellado. “The size of the settlement is historic, but these attempts to hold Facebook accountable are not enough.”

The penalty creates a protective moat for Facebook, said TechFreedom President Berin Szoka. He argued the looming threat of such massive fines discourages competition.

Separately Wednesday, the FTC sued app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix, alleging they “used false and deceptive tactics to harvest personal information from millions of Facebook users.” Kogan and Nix agreed to restrictions on future business conduct. They face civil penalties of up to $42,530 for future violations.