The Department of Justice, together with the Federal Trade Commission (FTC), today announced a settlement that requires Facebook to implement a comprehensive, multi-faceted set of compliance measures designed to improve user privacy and provide additional protections for user information. The settlement also requires Facebook to pay an unprecedented $5 billion civil penalty — the most ever imposed in an FTC case and among the largest civil penalties ever obtained by the federal government.
In a complaint filed today, the United States alleges that Facebook violated an administrative order issued by the FTC in 2012 by misleading users about the extent to which third-party application developers could access users’ personal information. The complaint further alleges that Facebook violated the Federal Trade Commission Act by deceiving users about their use of this and additional sensitive information.
As reflected in the stipulated order filed with the complaint, Facebook has agreed to settle these allegations by paying a $5 billion civil penalty and implementing robust, new compliance measures that will change how Facebook prioritizes and approaches user privacy issues. These new compliance measures include appointment of an independent assessor to monitor Facebook’s conduct, privacy reviews for all new or modified Facebook products, establishment of a new Independent Privacy Committee on Facebook’s Board of Directors, annual compliance certifications by Facebook CEO Mark Zuckerberg, and various reporting and record-keeping requirements. Under the stipulated order, the Department of Justice and FTC will share responsibility for monitoring and enforcing Facebook’s compliance.
“The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information,” said Assistant Attorney General Jody Hunt for the Department of Justice’s Civil Division. “This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness.”
“Despite repeated promises to its millions of world-wide users that they could control how their personal information is shared, Facebook took steps to undermine consumers’ choices,” said FTC Chairman Joe Simons. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish previous violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
Response from Facebook:
After months of negotiations, we’ve reached an agreement with the Federal Trade Commission that provides a comprehensive new framework for protecting people’s privacy and the information they give us.
The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.
The accountability required by this agreement surpasses current US law and we hope will be a model for the industry. It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements. Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working — and that we find and fix them when they are not.
In reaching this settlement, we have also agreed to pay a $5 billion penalty — multiple times what any previous company has paid the FTC — in order to resolve allegations that we violated our 2012 consent order.
The FTC’s investigation was initiated after the events around Cambridge Analytica last year. Our handling of this matter was a breach of trust between Facebook and the people who depend on us to protect their data. This agreement is not only about regulators, it’s about rebuilding trust with people.
Over the past year we’ve made large strides on privacy. We’ve given people more control over their data, closed down apps and applied more resources to protecting people’s information.
But even measured against these changes, the privacy program we are building will be a step change in terms of how we handle data. We will be more robust in ensuring that we identify, assess and mitigate privacy risk. We will adopt new approaches to more thoroughly document the decisions we make and monitor their impact. And we will introduce more technical controls to better automate privacy safeguards.
As part of this effort, we will be undertaking a review of our systems. We expect this process will surface issues — that’s part of its purpose. When it does, we will work swiftly to address them.