Enforcement News: Facebook’s Tough Week – Over $5 Billion Paid to Settle Claims Brought by The SEC and FTCPrint Article
- Posted on: Jul 29 2019
Last week was a rough one for Facebook, Inc. (FB-NASDAQ). On July 24, 2019, the social network giant, agreed to pay a $100 million fine to the Securities and Exchange Commission (“SEC”) (here) to settle claims related to the Cambridge Analytica scandal and a $5 billion penalty to the Federal Trade Commission (“FTC”) to settle claims concerning misleading disclosures related to the company’s privacy practices (here). The settlements are the culmination of investigations by the SEC, FTC and other federal agencies that started about a year ago (July 2018) following Facebook’s disclosures in March 2018 that Cambridge Analytica, the British political data-analysis firm that has been connected to the 2016 presidential campaign, improperly accessed the personal information of approximately 87 million Facebook users. (Here.)
The SEC fine – $100 million – represents the “highest penalty the SEC has ever assessed for this kind of disclosure failure,” said Stephanie Avakian (“Avakian”), the SEC’s deputy director of enforcement.
The FTC penalty – $5 billion – is “the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide,” said the FTC in its announcement. “It is one of the largest penalties ever assessed by the U.S. government for any violation.”
SEC v. Facebook, Inc.
The SEC brought charges against Facebook for making misleading disclosures about the risk that user data could be misused (here). According to the SEC, for more than two years, Facebook’s public disclosures presented the risk of misuse of user data as merely hypothetical when, in fact, Facebook knew that a third-party developer (i.e., Cambridge Analytica) had misused the social network giant’s user data.
According to the SEC’s complaint (here), in 2014 and 2015, Cambridge Analytica, the now-defunct British advertising and data analytics company, paid an academic researcher, through a company he controlled, to collect and transfer data from Facebook to create personality scores for approximately 30 million Americans. In addition to the personality scores, the researcher, in violation of Facebook’s policies, also transferred to Cambridge Analytica the underlying Facebook user data, including names, genders, locations, birthdays, and “page likes.” Cambridge Analytica used this information in connection with its political advertising activities.
In the complaint, the SEC alleged that Facebook discovered the misuse of its users’ information in 2015 but did not correct its existing disclosure for more than two years. Instead, Facebook continued to tell investors that “our users’ data may be improperly accessed, used or disclosed.” According to the SEC, Facebook reinforced this false impression when it told news reporters who were investigating Cambridge Analytica’s use of Facebook user data that it had discovered no evidence of wrongdoing.
Facebook did not disclose that a researcher had improperly transferred data for millions of Facebook users to Cambridge Analytica until March 16, 2018, when the company publicly acknowledged on its website that it had learned of the violation of its policy in 2015.
The complaint further alleged that during the referenced two-year period, Facebook had no specific policies or procedures in place to assess the results of its investigation for the purpose of making accurate disclosures in the company’s public filings.
“Public companies must accurately describe the material risks to their business,” said Avakian. “As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused. Public companies must have procedures in place to make accurate disclosures about material business risks.”
“We allege that Facebook exacerbated its disclosure failures when it misled reporters who asked the company about its investigation into Cambridge Analytica,” said Erin E. Schneider, Director of the SEC’s San Francisco Regional Office. “This gave further weight to Facebook’s misleading statements in its public filings.”
Without admitting or denying the SEC’s allegations, Facebook agreed to the entry of a final judgment ordering a $100 million penalty and an injunction that permanently enjoins it from violating Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934, and Rules 12b-20, 13a-1, 13a-13, and 13a-15(a) thereunder.
United States of America v. Facebook, Inc.
The FTC brought charges against Facebook (here), alleging that the company violated a 2012 FTC order (the “2012 FTC Order”) by deceiving users about their ability to control the privacy of their personal information. To settle the claims, Facebook agreed to pay a $5 billion penalty and submit to new restrictions and a modified corporate structure that is intended to hold the company accountable for the decisions it makes about its users’ privacy. (The FTC’s announcement can be found here and the settlement fact sheet can be found here.)
According to the FTC, Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of the 2012 FTC Order. Under the order, Facebook was prohibited from making misrepresentations about the privacy or security of consumers’ personal information, and the extent to which it shared personal information, such as names and dates of birth, with third parties. It also required Facebook to maintain a reasonable privacy program that safeguarded the privacy and confidentiality of user information.
The FTC alleged that Facebook violated the 2012 order by deceiving its users when the company shared the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings. According to the agency, Facebook allowed users’ personal information to be shared with third-party apps that were downloaded by the user’s Facebook “friends.” The FTC claimed that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
“The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information,” said Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division. “This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness.”
The Terms of the New Settlement
In addition to the record-breaking $5 billion penalty levied by the FTC, the settlement also imposes new restrictions on Facebook’s business operations and creates multiple levels of governance and compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down and establishes new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.
Under the settlement order, the board of directors is required to establish an independent privacy committee, which is designed to remove control over user privacy by Facebook’s Chief Executive Officer (“CEO”), Mark Zuckerberg. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can be fired only by a supermajority of the board of directors.
The settlement also requires Facebook to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new privacy committee and can be removed only by that committee, not by Facebook’s CEO or Facebook employees. Importantly, Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.
Moreover, the settlement is intended to strengthen external oversight by requiring an independent third-party to assess the effectiveness of Facebook’s privacy program and identify any gaps. The assessor’s biennial evaluations of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management. The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the assessor is required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order.
The settlement not only applies to Facebook and its other social media offerings, WhatsApp and Instagram, but also to every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy. The designated compliance officers must generate a quarterly privacy review report, which they must share with the CEO and the independent assessor, as well as with the FTC upon request by the agency. The order also requires Facebook to document incidents when data of 500 or more users has been compromised and its efforts to address such an incident and deliver this documentation to the FTC and the assessor within 30 days of the company’s discovery of the incident.
Additionally, the order imposes significant new privacy requirements, such as greater oversight over third-party apps; prohibiting the use of telephone numbers to enable a security feature (e.g., two-factor authentication) for advertising; providing clear and conspicuous notice of its use of facial recognition technology, and obtaining affirmative express user consent prior to any use that materially exceeds its prior disclosures to users; encrypting user passwords and regularly scanning such encryptions to detect whether any passwords are stored in plaintext; and prohibiting the request for email passwords to other services when consumers sign up for Facebook services.
The FTC Commissioners
The FTC voted 3-2 to refer the complaint and stipulated final order to the Department of Justice.
“The Order imposes a privacy regime that includes a new corporate governance structure, with corporate and individual accountability and more rigorous compliance monitoring,” said the three Commissioners voting for the settlement in a statement (here). “This approach dramatically increases the likelihood that Facebook will be compliant with the Order; if there are any deviations, they likely will be detected and remedied quickly.”
The dissenting Commissioners said the $5 billion penalty, though substantial, was insufficient and the privacy governance changes insufficient to change Facebook’s practices with regard to gathering and leveraging users’ data.
“The settlement imposes no meaningful changes to the company’s structure or financial incentives, which led to these violations,” Commissioner Rohit Chopra said in a statement (here). “Nor does it include any restrictions on the company’s mass surveillance or advertising tactics.”
“The settlement imposes no meaningful changes to the company’s structure or financial incentives,” Chopra continued, “nor does it include any restrictions on the company’s mass surveillance or advertising tactics. Instead, the order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail.”
“Even though this settlement is historic, in order to support it I would have to be confident that its combined terms would effectively deter Facebook from engaging in future law violations and send the message that order violations are not worth the risk,” Commissioner Rebecca Kelly Slaughter said in a statement (here). “When executives at large companies exercise control over decisions, including decisions to break the law,” Slaughter continued, “they should be held accountable the same way executives at smaller companies are.”
The company issued a statement in a Facebook blog post (here), explaining that the settlement “will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”
Mark Zuckerberg also issued a statement about the settlement (here), stating “We have a responsibility to protect people’s privacy. We already work hard to live up to this responsibility, but now we’re going to set a completely new standard for our industry.”