Facebook, Inc. will pay a record $5 billion penalty and submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, to settle FTC charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information. The $5 billion penalty is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. It is one of the largest penalties ever assessed by the U.S. government for any violation.
Following a yearlong investigation by the FTC, the Department of Justice filed a complaint on behalf of the Commission alleging that Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order. These tactics allowed the company to share users’ personal information with third-party apps downloaded by the user’s Facebook “friends.”
In addition to the historic penalty, the new 20-year settlement order also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.
Among other requirements, it establishes an independent privacy committee of Facebook’s board of directors, requires the company to designate compliance officers, and enhances the independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps. Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties. The assessor’s biennial assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. Additionally, the order imposes significant new privacy requirements relating to facial recognition, data security, and oversight of third party app developers.
In a related, but separate development, the FTC also announced an administrative complaint against data analytics company, Cambridge Analytica. The agency filed for public comment settlements with Cambridge Analytica’s former Chief Executive Officer Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, alleging they used false and deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The proposed settlement agreements with Nix and Kogan restrict how they conduct any business in the future, and require them to delete or destroy any personal information they collected. Cambridge Analytica has filed for bankruptcy and has not settled the FTC’s allegations. In addition, the FTC alleges that Cambridge Analytica falsely claimed until at least November 2018 that it was a participant in the EU-U.S. Privacy Shield framework, even though the company allowed its certification to lapse in May 2018. The Privacy Shield establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The FTC also alleges that the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program. The FTC acknowledged the cooperation of the United Kingdom’s Information Commissioner’s Office in this matter. To facilitate international cooperation in this case, the FTC relied on key provisions of the U.S. SAFE WEB Act, which allows the FTC to share information with foreign counterparts to combat deceptive and unfair practices.
The Commission vote to refer the Facebook complaint and stipulated final order to the Department of Justice for filing was 3-2. The Department filed the complaint and stipulated final order in the U.S. District Court for the District of Columbia. Chairman Simons along with Commissioners Noah Joshua Phillips and Christine S. Wilson issued a statement on this matter. Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued separate statements on this matter. The Commission vote to issue the proposed administrative complaint against Cambridge Analytica, and to accept the proposed consent agreements with Kogan and Nix, was 5-0. For more details on the two matters, click on the headlines above. For an archival webcast of the press conference, click here.
Equifax Inc. has agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. The agencies alleged that the credit reporting company’s failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people. The breach allegedly exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.
In addition to the monetary relief to consumers, Equifax is also required to implement a comprehensive information security program requiring the company to take several measures including:
- Designating an employee to oversee the information security program;
- Conducting annual assessments of internal and external security risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;
- Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
- Testing and monitoring the effectiveness of the security safeguards; and
- Ensuring service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.
The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years. The Commission vote authorizing the staff to file the complaint and proposed stipulated final order was 5-0. For more details of the settlement and an archival webcast of the FTC-hosted press conference, click on the headline above.
The FTC reached a settlement with a background screening company, SecurTest, Inc., which falsely claimed on its website that it participated in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield cross-border data transfer frameworks. The frameworks consist of a set of principles and related requirements deemed by the European Commission and the Swiss authorities to provide “adequate” privacy protection for consumer data. Separately, the FTC sent warning letters to more than a dozen companies for falsely claiming participation in other cross-border data privacy agreements, including to two companies that claimed they are participants in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system even though they are not certified participants. The APEC CBPR system is an initiative to enhance the protection of consumer data that moves among the APEC member economies through a voluntary but enforceable code of conduct.
The FTC and its law enforcement partners announced a major crackdown on illegal robocalls, including 94 actions targeting operations that are responsible for more than one billion calls pitching credit card interest rate reduction services, moneymaking opportunities, medical alert systems, and other products and services.
The joint crackdown, “Operation Call it Quits,” also includes new information to help educate consumers about illegal robocalls. In addition, the FTC continues to promote the development of technology-based solutions to block robocalls and combat caller ID spoofing. “Operation Call it Quits” includes four new cases and three new settlements from the FTC along with related actions by the U.S. Department of Justice and 25 federal, state, and local agencies.
The competition authorities of the G7 countries (Canada, France, Germany, Italy, Japan, United Kingdom, USA), together with the European Commission, released a Common Understanding on issues raised by the digital economy for competition analysis. The FTC worked with its G7 counterparts to draft these principles, which recognize innovation, sound competition analysis, competition advocacy, and international cooperation as keys to promoting the benefits of competition in the digital economy. For a statement by FTC Chairman Joseph Simons supporting the Common Understanding of G7 Competition Authorities on Competition and the Digital Economy, click on the headline above.
Following a decision of the United States Court of Appeals finding that the acquisition of Mid Dakota Clinic by Sanford Health would substantially lessen competition, the parties decided to abandon the transaction. The Court of Appeals upheld a December 2017 district court preliminary injunction sought by the FTC. The FTC alleged that the proposed acquisition would have given Sanford at least a 75 to 85 percent share of the market for providing adult primary care physician services, pediatric services, and obstetrics and gynecology services, and would have left the Bismarck-Mandan region of North Dakota with only one physician group offering general surgery physician services.
UnitedHealth Group and DaVita, Inc. agreed to a settlement to resolve FTC allegations that UnitedHealth Group’s proposed $4.3 billion acquisition of DaVita Medical Group will harm competition in healthcare markets in the Las Vegas area. According to the complaint, the proposed acquisition would result in a near monopoly controlling more than 80 percent of the market for services delivered by managed care provider organizations to Medicare Advantage insurers. The complaint alleges that elimination of this competition would increase healthcare costs and decrease competition on quality, services, and other amenities in the affected area, as well as result in anticompetitive vertical integration.
Complaints to the FTC’s Consumer Sentinel Network about scammers pretending to be from the government reached the highest levels on record this spring, according to the latest FTC Consumer Protection Data Spotlight. Since 2014, consumers contacted by someone falsely claiming to be from the Social Security Administration, Internal Revenue Service, or another U.S. government entity, have filed nearly 1.3 million reports about these cons, far more than any other type of fraud.
El Salvador’s Defensoría del Consumidor Joins econsumer.gov
El Salvador’s consumer protection agency recently joined econsumer.gov. The Defensoría del Consumidor’s president, Ricardo Salazar, announced their membership at a June 25 press conference. The Defensoria represents the 39th country with a participating agency. Econsumer.gov is a joint effort to gather and share cross-border consumer complaints, with a web portal available to consumers in eight languages. It also has a mobile version, used to report about a third of the complaints received. Contact Hui Ling Goh for more information on how to participate.
The FTC, with the concurrence of DOJ’s Antitrust Division, approved amendments to the Hart-Scott-Rodino (HSR) Rules and to the instructions for filling out an HSR pre-merger notification form. The FTC will incorporate the new 10-digit North American Product Classification System, or NAPCS, codes introduced by the Census Bureau, and the updated 6-digit North American Industry Classification System, or NAICS, codes. A notice in the Federal Register provides more information.