The Federal Trade Commission (FTC) officially announced a $5 billion penalty against Facebook (NASDAQ: FB) for mishandling of users’ personal data and privacy.
The penalty is the largest imposed by the FTC against any company for violating consumer’s privacy. It is almost 20 times bigger than the world’s largest penalty imposed on privacy or data security violation.
The FTC imposed the record-breaking fine after a year-long investigation into allegations that Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy options. The Commission found that the company’s privacy practices violated its 2012 settlement order.
In a statement, FTC Chairman Joe Simmons said, “Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices.”
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law,” added Simmons.
FTC imposes new restrictions on Facebook
In addition to the fine, the FTC imposed new restrictions on Facebook’s business operations. The 20-year settlement order requires the social media giant to reform its approach to privacy. The order also requires the company to implement strong procedures to ensure that its executives are accountable for their decisions regarding privacy and the decisions are subject to oversight.
Furthermore, the order establishes an independent privacy committee of Facebook’s Board of Directors. The committee will end the autonomous control of Facebook CEO Mark Zuckerberg over decisions related to users’ privacy.
It requires the social medial giant to appoint compliance officers responsible for its privacy program. The Board of Director’s independent privacy committee will be responsible for the approval or removal of a compliance officer. Zuckerberg and the compliance officers must submit quarterly certifications that Facebook is in compliance with the mandated privacy program.
Moreover, the order strengthens external oversight of Facebook. It improves the ability of the independent third-party assessor to evaluate the effectiveness of Facebook’s privacy program and to determine any gaps.
Additional privacy requirements
The order also requires Facebook to do the following:
- Exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
- Not to use obtained telephone numbers to enable a security feature (e.g., two-factor authentication) for advertising;
- Provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
- Establish, implement, and maintain a comprehensive data security program;
- Encrypt user passwords and regularly scan to detect whether any passwords are stored in plain text; and
- Not to ask email passwords to other services when consumers sign up for its services.