Facebook agreed to pay a $5 billion fine to the FTC and the DOJ to settle claims that the company engaged in deceptive business practices by failing to abide by a 2012 settlement order requiring it to give notice to customers before sharing information with third parties. The FTC and DOJ alleged that Facebook violated the prior order by failing to maintain an adequate data protection program to prevent developers from accessing customers' personal information.

According to regulators, developer Aleksandr Kogan and former CEO Alexander Nix of Cambridge Analytica, LLC ("Cambridge Analytica") used misleading tactics to procure "tens of millions" of Facebook users' personal information collected through the "GSRApp" application on Facebook commonly known as "thisisyourdigitallife." While Cambridge Analytica ostensibly obtained permission from users to harvest their data, the FTC said, its methods for doing so were "false and deceptive."

In addition to paying the fine, Facebook agreed to:

  • exercise greater oversight over third-party apps;

  • prohibit the use of telephone numbers obtained to enable security features;

  • provide conspicuous notice of its use of facial recognition technology;

  • design and uphold a comprehensive security program;

  • encrypt user passwords and conduct regular checks of whether passwords are stored in plaintext; and

  • refrain from asking for email passwords to other services when users create Facebook accounts.

In a related action, the FTC entered into a settlement with Cambridge Analytica that requires (i) any further misleading statements regarding the data collected by Cambridge Analytica to stop and (ii) the destroying of users' personal information collected thus far. The FTC consent agreement package will be open for public comment for 30 days after publication in the Federal Register. Cambridge Analytica faces a civil penalty of up to $42,530 for each violation.

Separately, Facebook agreed to pay $100 million to the SEC to settle charges for failing to properly disclose to the public that developers may have violated its terms of service by obtaining personal information belonging to Facebook customers.

Commentary / Joseph V. Moreno

The initial reaction to the Facebook settlement by some industry analysts is that it was too lenient, and that $5 billion is nothing to a company with annual revenues of over $55 billion. The deal also received criticism from political leaders for not imposing personal liability on Facebook CEO Mark Zuckerberg and other senior executives, and for effectively ending the scrutiny of the company's prior relationship with Cambridge Analytica without further consequence. However, the settlement will impose a twenty-year requirement that Facebook form and maintain an independent privacy committee and privacy officers, and run all new products through a privacy review. And, with confirmation today that Facebook is facing a new FTC investigation on antitrust grounds, as well as swirling concerns about the spread of "fake news" on Facebook as the 2020 presidential election season draws near, it is unlikely the social media giant will be free of U.S. government scrutiny any time soon.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.