Even in her extensive dissent, FTC Commissioner Rebecca Slaughter labeled the Order “exceptional.”
And it is. The terms of the Federal Trade Commission’s (FTC) $5 billion, twenty-year settlement Order reached with Facebook on Wednesday is the agency’s most prescriptive privacy and data security agreement ever. The Order comes just three days shy of the seventh anniversary of the FTC’s original 2012 settlement with Facebook, where the FTC ordered Facebook to comply with its privacy commitments.
This week, the FTC confirmed what was already widely reported – from the Cambridge Analytica scandal to a series of other press reports on privacy mishaps – the agency’s determination that Facebook’s data practices did not comply with the FTC’s 2012 Order.
Almost immediately, the Order was attacked by critics insisting that the Commission let Facebook off the hook too easily, for, among other reasons, not obtaining an admission of guilt or liability, not restricting data flows or integration among its companies, and not obtaining an even higher monetary penalty. Commissioner Slaughter wrote that although the Order is exceptional, the “facts and defendant before us are exceptional as well,” and that she did not believe the “combined terms would effectively deter Facebook from engaging in future law violations and send the message that order violations are not worth the risk.” Supporters of this view are likely to point to Facebook’s second quarter earnings results indicating a 28 percent revenue increase compared with 2018.
In contrast, Commissioner Noah Phillips, who supported the settlement, defended the outcome. “I am absolutely certain that the deal we struck today is better than the relief that we might have achieved had we gone to court,” Commissioner Phillips told CNN. In particular, Phillips and other Republican Commissioners point to extensive, precedent-setting monetary relief, as well as injunctive relief that dictates a new detailed accountability process for how Facebook’s privacy (and information security) decisions and oversight will function for the next twenty years.
Here’s a rundown of key terms in the Order:
#1: Liability Limitations
- Terms: Facebook neither admits nor denies any of the allegations against it. In exchange for agreeing to the Order and paying $5 billion in civil penalties, the FTC agrees that the Order resolves “any and all claims that Defendant, its officers, and directors” violated the 2012 settlement order and Section 5 of the FTC Act.
- Context: In his dissent, Commissioner Rohit Chopra criticized the liability terms because Facebook received what he characterized as a “legal shield” covering a wide range of conduct not addressed in the Complaint or Order. “I have not been able to find a single Commission order – certainly not one against a repeat offender – that contains a release as broad as this one,” Chopra wrote.
- Exceptional? In 2012, Commissioner J. Thomas Rosch dissented because the FTC’s 2012 settlement allowed Facebook to expressly deny the allegations in the Complaint. In the 2019 Order, Facebook neither admitted nor denied the allegations. Kelley Drye View: Not exceptional.
#2: Privacy Prohibitions / Restrictions
- Terms: Facebook may not make misrepresentations about privacy and information security in connection with its products and services. The Order sets limits and rules around how Facebook may use telephone numbers provided for account authentication, facial recognition templates, and private user information. Facebook is required to ensure that when a consumer deletes information or content, the data are in fact deleted and not accessible to third parties.
- Context: These are familiar terms. When the FTC identifies a violation of its Act or a prior Order, the FTC seeks settlement terms that directly prohibit a company from re-engaging in the offending activity. In its statement in support of the settlement, the majority of commissioners led by Chairman Joe Simons wrote, “Collectively, these requirements will not only alter the way Facebook does business, but also send an important signal to the marketplace about privacy and security best practices.” The majority also pointed out that this is “the first FTC order to address biometric information, requiring Facebook to get consumers’ opt-in consent before using or sharing” facial recognition templates.
- Exceptional? The 2012 settlement mirrored many of these terms, especially with regard to misrepresentations in privacy statements and deletion of personal information. The FTC has also conveyed its expectations that when collecting and using sensitive personal information (such as biometric information) in a manner that may surprise consumers, a company should obtain an opt-in. Kelley Drye View: Not exceptional.
#3: New Data Security Terms
- Terms: Facebook will be required to maintain an information security program to protect the security of user information, including passwords. The company will be required to scan for plaintext files with user passwords, and report to the government any data breaches impacting 500 or more users.
- Exceptional? The FTC regularly mandates information security programs, especially in cases involving data breaches. Earlier this year, in the Lightyear Dealer Technologies case involving exposure of personal information, the FTC mandated a detailed information security program complete with regular independent evaluations, internal assessments, and annual certifications. What is exceptional here is that, now, every Facebook data compromise involving 500 or more users’ information will be closely reviewed by both the DOJ and FTC. Kelley Drye View: Exceptional.
#4: Oversight agencies (DOJ & FTC)
- Terms: The Order indicates that aside from providing documents to the FTC, Facebook must provide copies of reports, assessments, notifications, certifications, and other mandated filings to the Department of Justice.
- Context: The FTC has limited manpower and staff (and more importantly, a constrained budget) to address every concerning privacy and data security matter. Adding a second government agency increases oversight (and enforcement) potential. Kelley Drye View: Neutral (and potentially Exceptional if the settlement were to motivate Congress to increase allotted FTC Budget, in which case extra oversight and resources likely would translate to more active enforcement).
- Terms: The FTC mandates that Facebook implement safeguards to ensure protection of user information. These safeguards require Facebook to conduct extensive privacy reviews prior to rolling out new services, with a more in-depth review required for services that present a “material risk to the privacy, confidentiality, or Integrity of” user information. The settlement also requires Facebook to develop safeguards regarding facial recognition technology and affiliate sharing.
- Context: The terms respond to ongoing concerns that Facebook rolls out new products or services without sufficiently considering the impact on privacy. These safeguards do not restrict Facebook from taking actions with new, material privacy implications, but slows down and opens the process to a deliberative review. Kelley Drye View: Neutral.
#6: Third Party Monitoring
- Terms: Facebook is required to design and implement safeguards that require vetting, monitoring and enforcement against third parties that use Facebook user information for their own consumer applications and websites. These safeguards include mandating each such party to provide a self-certification on compliance with Facebook’s terms. They also require Facebook to conduct ongoing compliance monitoring and to enforce compliance terms, including by restricting access to Facebook data if there are instances of non-compliance, and to take other appropriate disciplinary measures that are commensurate with the violation gravity and prior history of compliance.
- Exceptional? The extent and specificity of the FTC’s third party vetting terms are unique to this case and go beyond the FTC’s prior examples. It remains to be seen if these are more robust “fencing-in relief,” or if they are a preview of what FTC will demand in other cases involving third party compliance, including with respect to telemarketing and lead generation. Kelley Drye View: Exceptional.
#7: Overlapping Channels of Compliance
- Terms: The FTC has implemented overlapping “channels of compliance” to hold Facebook accountable for privacy and data security related decisions and practices. First, Facebook must create an independent privacy committee. Second, Facebook’s CEO and compliance officers will be required to submit quarterly compliance certifications vouching for the company’s compliance with the Order. Third, Facebook will face monitoring by independent assessors (who Facebook cannot claim privilege over their work product) and the FTC.
- Exceptional? The FTC’s majority statement emphasizes the overlapping channels of compliance, and they are no small feat. Facebook has agreed to twenty years of extensive auditing at multiple levels. While many FTC decisions may include some of these compliance checks, the Order’s inclusion of all of these is significant. Kelley Drye View: Exceptional.
- Caveat: Earlier this week, the FTC settled charges with Equifax over a data breach that impacted 147 million people. That agreement included yet another channel of compliance: it set up its own FTC email hotline for Equifax employees to submit complaints or concerns about the company’s information security practices to the FTC, and a process for reviewing, addressing, and escalating those complaints. This type of process is notably absent from the Facebook settlement.
#8: Heavy Handed Corporate Governance Terms
- Terms: In a remarkable example of government intervention in a public company’s operations, the FTC includes as Exhibit 1 to the Order a new article to be inserted into the Facebook corporate charter. The article states that no director serving on the independent privacy committee may be removed for reasons related to their duties on that committee.
- Exceptional? This is a unique provision designed to protect the integrity of the independent privacy review process that is a cornerstone of the settlement agreement. Kelley Drye View: Exceptional.
Whether precedent setting or a one-off, the Facebook settlement sets a new standard in the United States for privacy accountability and government oversight of a company’s data practices. Given the third-party monitoring and enforcement program that is part of this settlement, its effects also may be felt by many others in the online space. On the day of the settlement’s announcement, public reports also noted that Facebook is the subject of a current FTC antitrust investigation. While it may be many months (or longer) to know how that matter resolves, its outcome too will be of great interest and could materially affect the digital ecosystem.
At bottom, there is no longer a status quo in the United States when it comes to data practices and standards. This settlement, the California Consumer Privacy Act’s looming compliance deadline, and the ongoing debate over whether there should be a comprehensive federal privacy law are all developments that underscore one take-away: most companies’ data practices can benefit from a fresh review and consideration for how to plan for the future.
To discuss how the settlement could impact your business, please contact attorneys in the Privacy and Information Security practice at Kelley Drye.