July 24, 2019
To learn more about Lathrop Gage, click here ›
Client Alert: Facebook Settles FTC Privacy Complaint for Billions: What Your Business Needs to Know
Facebook agreed today to settle FTC charges that its privacy practices violated a 2012 Consent Order. Businesses should expect increased scrutiny of their own privacy practices as a result.
The $5 billion settlement payment will be the largest the agency has ever received for consumer privacy violations. The amount will likely garner the most headlines and attention, but opinions vary as to whether a payment equal to 9% of Facebook’s 2018 revenue and 23% of its 2018 profits will prove an effective deterrent.
Rather than the dollar amount, the Settlement’s real legacy will likely be the privacy practices Facebook has agreed to implement. Facebook will hire outside assessors to review its privacy practices, and its executives will be accountable for the results.
After Enron, Sarbanes-Oxley changed the accountability of publicly traded companies. The new Facebook privacy regimen should raise privacy awareness in US boardrooms to a new level, and provide a standard for all companies to consider in protecting and processing personal information.
In a 2012 FTC Consent Order, Facebook agreed not to misrepresent to consumers how Facebook controlled, used or shared their personal information. In 2018, the FTC charged Facebook with violating that Consent Order.
In the 2018 Complaint, the FTC alleged, among other things, that Facebook had misled users about its sharing of personal information; had continued to allowing app developers to access users’ friends data; had allowed those app developers most profitable to Facebook to violate its privacy policies; had implied to 60 million users they could opt in to facial-recognition technology when, in fact, it was already active by default; and had told users their phone numbers could enable two-factor authentication when the numbers were actually used for advertising purposes.
After a year-long investigation and extensive negotiations, Facebook agreed to a new Order, effective for 20 years. Facebook must now:
Two FTC commissioners dissented because they felt the $5 billion was not enough given Facebook’s monetization of personal information for profit despite the 2012 Order. They also stated that the release of all FTC claims through June 12, 2019 was too generous, that Facebook’s new privacy measures were not strong enough to prevent its future misuse of personal information, and the FTC should require more public disclosures from Facebook going forward under the new Order.
The Rest of the Enforcement Story
The buck does not stop with the FTC. The Securities and Exchange Commission also today announced a $100 million settlement with Facebook in the Cambridge Analytica matter, where the SEC had charged that Facebook made misleading disclosures regarding the risk of misuse of its user data.
State attorneys general can seek civil penalties on a “per violation” basis, which add up in a hurry. States are typically the first to review data breach responses and complaints from consumers about data privacy.
In addition, state consumer protection laws often permit private causes of action, including consumer class actions. For example, Cook County Illinois sued Facebook in 2018 under the Illinois Consumer Fraud Act over the Cambridge Analytica matter on behalf of affected Illinois residents. A federal court in California remanded the case to Illinois state court, where it now faces a motion to dismiss by Facebook. A private law firm is handling the class action for the County, and will receive 20% of any money Facebook pays the County.
In the new Order, the FTC has provided specific administrative and structural changes to corporate governance to prevent further misuse of consumer personal information. There will be a trickle-down effect. Now more than ever, all US companies should understand the rising expectations and increased liability associated with their collection, use, and sale of consumer personal information.
For more information about data protection, contact Tedrick Housh or Jason Schwent in Lathrop Gage’s Cybersecurity and Data Privacy Practice.
© 2019 LATHROP GAGE LLP, ALL RIGHTS RESERVEDCLICK HERE TO UNSUBSCRIBE | POWERED BY FIRMSEEK
The information contained in this document is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop Gage shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
If you do not wish to receive any further communication from Lathrop Gage, please send an email to firstname.lastname@example.org with the subject UNSUBSCRIBE.