On July 24, 2019, the Federal Trade Commission ("FTC") handed Facebook a $5 billion penalty for continuously misrepresenting to its users how it was sharing their personal data. The $5 billion penalty is the largest civil penalty imposed for a data privacy violation and puts companies on notice that the FTC is serious about how companies collect, use and share personal data. Pursuant to the terms of the settlement agreement, in addition to the $5 billion penalty, Facebook is required to: 1) create a new Board of Directors committee focused solely on privacy-related risks and compliance matters (effectively removing decisions involving consumer privacy from Facebook CEO Mark Zuckerberg); and 2) submit quarterly certification reports attesting to the fact that Facebook is in compliance with the FTC order and Facebook's privacy program. These measures have been implemented as a result of Facebook's violation of a 2012 settlement order with the FTC, the Cambridge Analytica scandal, and other general allegations of user data mishandling.

What were the terms of the 2012 consent order?

2012 Alleged Data Privacy Violations

In 2012, the FTC alleged that Facebook was deceiving users by sharing the personal information of their "friends" with third-party app developers. In response to these allegations, the FTC and Facebook ultimately entered into a settlement agreement that required Facebook to: 1) provide users with clear and prominent notice concerning how Facebook was sharing personal information; 2) obtain express consent before sharing user information beyond their privacy settings; 3) maintain a privacy program to protect the privacy and confidentiality of user information; and 4) permit biennial privacy audits of its consumer data privacy practices to be conducted by an independent third-party. The most recent allegations include, among other alleged violations, that it took Facebook just four months to violate the settlement order by removing disclosures from its privacy settings that it was sharing data with third party developers.

Beware of Data Privacy Violations

Data privacy violations can bring on a regulatory investigation by the FTC or a state attorney general. This ground-breaking settlement figure is illustrative of the fact that the FTC believes that privacy and data security concerns are of paramount public concern and should be penalized when violated. In order to minimize operating risk, it is critical to engage knowledgeable legal counsel prior to collecting, using and sharing consumer personal information.

Similar Blog Posts:

New York Data Privacy Law

CCPA Compliance: Consumer Information Requests, Data Mapping and the California Consumer Privacy Act (CCPA)

Nevada Privacy Law Amended to Include Opt-Out Rights

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.