The US Federal Trade Commission has fined Facebook a whopping $US 5 billion for violating a 2012 FTC order on consumers’ privacy. It is is the largest ever imposed on any company for privacy violations and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.
The order by FTC will require Facebook to restructure its approach to privacy from the corporate board-level down and establish strong new mechanisms to ensure that the company’s executives are accountable for the decisions they make about privacy. Facebook undermined consumers’ choices despite promises that users could control how their personal information is shared on the social media platform.
According to the investigation by FTC, Facebook used “deceptive disclosure and settings” and this allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook friends while the users were unaware that Facebook was sharing such information. FTC has also imposed a set of requirements on Facebook that is aimed at increasing transparency and accountability and privacy at Facebook, Instagram, WhatsApp, and Messenger.
The order by FTC imposes new privacy requirements and here are how things will change at Facebook:
- Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data.
- Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising.
- Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
- Facebook must establish, implement, and maintain a comprehensive data security program.
- Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext.
- Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
Commenting on this, Jody Hunt, Assistant Attorney General for the Department of Justice’s Civil Division said:
The Department of Justice is committed to protecting consumer data privacy and ensuring that social media companies like Facebook do not mislead individuals about the use of their personal information. This settlement’s historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness.
Facebook in a blog post said:
We have heard that words and apologies are not enough and that we need to show action. By resolving both the SEC and the FTC investigations, we hope to close this chapter and turn our focus and resources toward the future.
Billions of people around the world use our products to make their lives richer and to help their organizations thrive. That makes it especially important that the people who use our platform can trust that their information is protected. This agreement is an unambiguous commitment to do that.