Facebook To Settle FTC’s Largest Ever Penalty For Violating User Privacy and Enact Multiple Safeguards On WhatsApp and Instagram?

Facebook and the US Federal Trade Commission (FTC) will settle the largest ever fine imposed on any digital platform. Along with the monetary penalty, Facebook will also have to undertake a massive top-to-bottom overhaul of user privacy practices and protocols. The sweeping changes will have to be made on all platforms that Facebook currently owns and operates, including the most popular social media platform, WhatsApp, and Instagram. The massive $5 Billion Facebook’s settlement with the FTC also removes CEO Mark Zuckerberg as Facebook’s sole privacy decision-maker.

After a year-long investigation and amidst intense speculations, FTC has finally announced a massive settlement with Facebook. In addition to the huge fine amounting to $5 Billion, the FTC has also announced the many terms of its settlement with the social media giant. With the decision, Facebook has finally been openly called out for significant privacy concerns that have long been raised on various official, unofficial and legal platforms. The FTC’s order-mandated comprehensive privacy program not only covers Facebook-owned WhatsApp and Instagram but also Facebook’s eponymous social platform.

Why Was Facebook Fined By The FTC And What Does It Mean?

The FTC’s investigation gained momentum after the infamous Cambridge Analytica scandal, in which Facebook allegedly used “deceptive disclosures and settings to undermine users’ privacy preferences” on multiple occasions or repeatedly. It’s even more concerning to note that Facebook had specifically maintained way back in 2012 that it already takes adequate measures to safeguard user privacy. The FTC further claims that the social media giant was repeatedly lenient with apps and web platforms that the company knew well, were violating its policies pertaining particularly to the data privacy and confidentiality.

“These tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook ‘friends’. The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.”

Speaking about the settlement, FTC chairman, Joe Simons, said through an official statement, “Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices. The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”

What Does The FTC’s Fine And Terms Of Settlement Mean For Facebook And The Associated Social Media Platforms?

The $5 Billion settlement is itself the largest in the history of FTC. The largest fine that the FTC had earlier imposed was on Google in 2012. But at $22.5 million, it is quite minuscule in comparison. Incidentally, Facebook has also reached a $100 million settlement with the US Securities and Exchange Commission (SEC) for “making misleading disclosures regarding the risk of misuse of Facebook user data.” The SEC maintains that the social media giant was aware of the misuse of user data in 2015. Still, Facebook attempted to downplay the severity of the vulnerability and exposure of user data and privacy for about two years.

The most significant aspect about the settlement, besides the monetary penalty, is stripping off some of the rights and power of Facebook’s founder, CEO, and majority voting rights holder Mark Zuckerberg pertaining to user privacy. In essence, Zuckerberg will no longer have “unfettered control” over user privacy decisions. Facebook will now have to infuse much greater accountability at the board of directors level. To do so, the social media giant will have to establish an “independent privacy committee”. This committee will have to remain independent and members will have to appointed by an independent nominating committee. Moreover, the committee’s members can only be removed by a supermajority of the Facebook board of directors.

Not only will the committee submit quarterly certifications that Facebook complies with the settlement’s mandates, but a third-party organization will also conduct its independent scrutiny about Facebook’s data collection practices, including those on Instagram and WhatsApp. The audit will be conducted every two years for 20 years.

While the order covers Facebook, WhatsApp, and Instagram, the settlement also notes that the company must conduct a privacy review of every new or modified product, service, or practice before it is implemented. Facebook will have to maintain documentary evidence proving it has prioritized user privacy.

What Privacy Measures Overhaul Will Facebook Undertake To Protect Users On All Its Platforms?

In an official press release, the FTC mentioned, “The settlement order announced today also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy and that those decisions are subject to meaningful oversight.” The FTC has stressed that Facebook will have to enact following privacy protocols:

  • Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
  • Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
  • Facebook must establish, implement, and maintain a comprehensive data security program;
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
  • Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

Facebook’s Response To The FTC Settlement:

Facebook has officially issued a response to the FTC settlement. Through a blog post authored by general counsel, Colin Stretch, the company noted, “The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”

“The accountability required by this agreement surpasses current US law and we hope will be a model for the industry. It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements. Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working — and that we find and fix them when they are not.” Interestingly, Facebook, through Short, still insists the Cambridge Analytica data misuse scandal was “a breach of trust between Facebook and the people who depend on us to protect their data.”

Facebook Settling With FTC To Have Larger Impact On Other Tech Companies Too?

Just this week, Google settled with the FTC over allegations that YouTube violated laws enacted to protect children online. The settlement stemmed from YouTube allegedly violating COPPA (Children’s Online Privacy Protection Act). Incidentally, the exact amount of fine hasn’t been officially disclosed but reports claim Google will pay a multimillion-dollar fine. However, what’s even more important than the monetary penalty is the conditions and requisites that are implied.

As a consequence of the settlement, Google could soon overhaul its approach to data safety and user privacy. The search engine giant will likely enact several policies that are clearly defined and intended to protect user data. In the same manner, Facebook too will undertake a massive overhaul of policies and practices pertaining to user privacy. Moreover, the social media giant’s settlement seems to include several stringent conditions that have to be met and their compliance proven.

Despite the seemingly steep penalty, some commissioners voted against the settlement. One such commissioner was Rohit Chopra, who notes, “[The settlement] doesn’t fix the incentives causing these repeat privacy abuses” because it fails to stop Facebook from “engaging in surveillance or integrating platforms. There are no restrictions on data harvesting tactics — just paperwork. FB gets to sign off on what’s acceptable”. Interestingly, he also maintains that most of senior Facebook management is being offered a “blanket immunity for their role in the violation.” He was, of course, referring to the Cambridge Analytica scandal.

“The settlement fine print gives Facebook broad immunity for ‘known’ and ‘unknown’ violations. What’s covered by these immunity deals? Facebook knows but the public is kept in the dark. Facebook’s flagrant violations were a direct result of their business model of mass surveillance and manipulation, and this action blesses this model. The settlement does not fix this problem. It now goes to court for approval. We should all be concerned that the business incentives of big tech platform behavioral advertising spur practices that are dividing our society. When companies break the law and cause massive harm, they need to be held accountable.” he concluded.

Alap Naik Desai
A B.Tech Plastics (UDCT) and a Windows enthusiast. Optimizing the OS, exploring software, searching and deploying solutions to strange and weird issues is Alap's main interest.