Washington, DC - If you’ve ever wondered what a paradigm shift looks like, you’re witnessing one today. The FTC’s $5 billion civil penalty against Facebook for violations of an earlier FTC order is record-breaking and history-making. In addition, the settlement requires Facebook to implement changes to its privacy practices, its corporate structure, and the role of CEO Mark Zuckerberg that are seismic in scope. Simply put, when it comes to the business of consumer privacy, it’s no longer business as usual at Facebook.

WHY THE FTC SUED FACEBOOK IN 2012

In 2012, the FTC charged Facebook with eight separate privacy-related violations, including that the company made deceptive claims about consumers’ ability to control the privacy of their personal data. One specific count alleged that Facebook allowed users to choose settings that supposedly limited access to their information just to “friends” without adequate disclosures that another setting allowed that same information to be shared with the developers of apps those friends used. Put another way, suppose Consumer A restricted access to friends and designated Consumer B as a friend. If Consumer B used a particular app on Facebook – let’s say a game – the game developer could access information about Consumer A, including data designated as private. That was all going on behind the scenes without a clear disclosure to Consumer A and in flagrant disregard of that person’s privacy choices.

To settle that case, Facebook agreed to an order that, among other things: 1) prohibited Facebook from making misrepresentations about the privacy or security of consumers’ information, 2) prohibited Facebook from misrepresenting the extent to which it shares personal data, and 3) required Facebook to implement a reasonable privacy program.

According to the FTC, Facebook flouted that order in multiple ways, and today’s settlement holds them accountable for putting profits over their privacy promises.

HOW FACEBOOK VIOLATED THE 2012 FTC ORDER AND THE FTC ACT

Under the 2012 order, Facebook must honor consumers’ privacy choices or face an order enforcement action, which can result in substantial civil penalties not legally available to the FTC in an initial lawsuit. The FTC alleges that since agreeing to that settlement, Facebook repeatedly misrepresented the extent to which users could control the privacy of their data.

FTC Settlement with Facebook

You’ll want to read the new complaint for details, but here are a few examples of how the FTC alleges Facebook violated the order. After agreeing to the 2012 settlement, Facebook launched services with feel-good names like “Privacy Shortcuts” and “Privacy Checkup” that claimed to help users manage their settings and limit who had access to their data. Concerned about their privacy, many consumers used those new tools to limit access just to friends.

But according to the FTC, even if people chose the most restrictive settings those tools allowed, Facebook made consumers’ personal data accessible to companies that developed apps used by consumers’ friends. To name just a few categories, that included the news and books they were reading, their relationship details, their religious and political views, their work history, their photos, and the videos they watched. Facebook did offer a setting to ensure users’ privacy preferences would be honored, but it was hidden away in a place people were unlikely to look. And it wasn’t directly accessible from the very tools the company touted as the way for consumers to “review and edit the privacy of key pieces of information.”

Furthermore, at the 2014 F8 conference – a gathering of companies that build products and services around Facebook – Facebook announced that it was no longer allowing third-party developers to collect data about the friends of app users. However, Facebook was separately telling developers with existing apps on the platform that they could continue to collect friends’ personal data for another year. And even after that period elapsed, Facebook continued to provide certain developers with access to friend data for years to come. The FTC says it took Facebook until at least June 2018 to stop providing access to this data to certain third-party apps.

Another way the FTC says Facebook violated the order was by failing to adequately assess and address privacy risks posed by third-party developers. Other than getting developers to click an “I agree” terms-and-conditions box when registering an app with the Facebook Platform, Facebook didn’t screen developers or their apps before giving them access to massive amounts of data that users had designated as private. Of course, in the wrong hands, information like that can grease the wheels for identity thieves and fraudsters. One particularly troubling charge is that when Facebook learned that app developers were violating Facebook’s terms, Facebook’s enforcement action was often influenced by how much advertising money the app developer spent with Facebook. Just how much user data was improperly disclosed? Facebook’s poor recordkeeping makes that difficult to determine.

According to the complaint, another way Facebook misrepresented the extent to which users could control the privacy of their data related to a form of technology that raises particular concerns for many consumers: facial recognition. In an April 2018 update to its Data Policy, Facebook represented to consumers, “Face recognition: If you have it turned on, we use face recognition technology to recognize you in photos, videos and camera experiences.” The complaint alleges that this statement was deceptive to tens of millions of users who have Facebook’s facial recognition setting, “Tag Suggestions,” because that setting was turned on by default and the updated Data Policy suggested that users would need to opt-in to having facial recognition enabled for their accounts.

In addition, the complaint charges Facebook with a new violation of the FTC Act. You know how Facebook asks users for their mobile phone number to help secure their accounts or reset their passwords? According to the complaint, Facebook didn’t tell people it also used that phone number to serve them with ads.

It boils down to this. In the face of consumers’ intent to limit information-sharing to a select few, Facebook ignored them and shared it broadly. Facebook did that despite its privacy promises, despite consumers’ efforts to protect their privacy, and despite the terms of the 2012 order. Why? To further Facebook’s financial interests.

HOW THE NEW ORDER WILL CHANGE FACEBOOK’S APPROACH TO CONSUMER PRIVACY

The $5 billion civil penalty is the largest ever imposed on a company anywhere for violating consumers’ privacy. What’s more, the penalty – which, by law, goes to the U.S. Treasury (not the FTC) – is one of the largest penalties ever assessed by the U.S. government for any violation. It’s designed to make all companies – not just Facebook – sit up, take notice, and rethink their practices.

Could the FTC have won a bigger civil penalty by going to court? Probably not. Judges tend to evaluate financial remedies in comparison with cases that have gone before it. That’s why we think the financial settlement is in the public interest. It has the added benefit of establishing a new benchmark when the FTC challenges privacy violations in the future.

The order imposes additional requirements to address Facebook’s illegal conduct. For example, Facebook must implement a stringent program to monitor third-party developers and terminate access to any developer that doesn’t follow the rules. In addition, Facebook can’t use for advertising purposes the phone numbers it obtained specifically for security. When it comes to facial recognition technology, the order requires Facebook to give clear notice of how it uses that information and it must get consumers’ express consent before putting that data to a materially different use. Facebook also will have to encrypt passwords and can’t ask people for their passwords to other services, and must report any privacy incident to the FTC within 30 days. On top of everything Facebook will have to do to protect consumers’ privacy, it also has to implement a comprehensive data security program. Another important consideration: These new accountability provisions don’t just apply to Facebook. They also apply to companies Facebook controls, like Instagram, WhatsApp, and other Facebook-owned affiliates that it shares consumers’ information with between now and 2039.

But don’t let a focus on the record-setting financial and conduct remedies distract from just how monumental a change the order imposes on Facebook’s privacy ecosystem and CEO Mark Zuckerberg’s job description. The order explains in detail a new system of independent control, multi-layer accountability, and personal responsibility over Facebook’s practices, and substantially limits Mr. Zuckerberg’s unfettered say in privacy decisions. In fact, for the next 20 years, anytime Facebook makes a privacy decision, multiple independent watchdogs will be looking over its shoulder. You’ll want to read the order in depth, but here are some highlights of ways that business is about to change at Facebook.

New Facebook Privacy Compliance System

Who will oversee privacy at Facebook? An Independent Privacy Committee. Facebook’s Board of Directors will name a new subgroup that will serve as an Independent Privacy Committee. Facebook officers and employees – including Mr. Zuckerberg – are disqualified from membership. The Committee will be briefed about all material privacy risks and issues at the company, and has approval-and-removal authority over a new cadre of designated compliance officers and a third-party assessor that will not answer to Facebook. (More about them in a moment.)

Who will carry out Facebook’s day-to-day privacy program? Designated compliance officers. Expert compliance officers, who must be approved by the Independent Privacy Committee, will implement and maintain Facebook’s privacy program. The compliance officers will be responsible for documenting every material privacy decision in detail. They’ll provide that documentation quarterly to the third-party assessor and CEO Zuckerberg. They also will have to certify quarterly to the FTC that Facebook is complying fully with the privacy program. If that’s not the case, the compliance officers will throw a flag that triggers even closer FTC scrutiny. In addition, the independent assessor will meet with the Independent Privacy Committee four times a year outside the presence of Facebook officers and employees. What if Facebook doesn’t like what the compliance officers are doing? Tough. Only the Independent Privacy Committee can remove them from the job.

Who else will be watching Facebook? A third-party assessor with broad monitoring powers. The assessor – who must be appointed with FTC approval – will provide an independent evaluation of Facebook’s privacy practices every two years. The order mandates that the assessor must subject Facebook to substantial scrutiny and can’t just take management’s word for what’s happening. In effect, the assessor must kick the tires, look under the hood, put it up on the lift, conduct diagnostics, and take it for a test drive. And again, Facebook will not be able to remove the assessor on its own.

How much of a role will CEO Mark Zuckerberg play in making final privacy decisions for the company? Substantially less, but he’ll have much more on the line personally. Mr. Zuckerberg will get a copy of Facebook’s written privacy program and quarterly reports of privacy decisions. But he does not control the Independent Privacy Committee, the designated compliance officers, or the third-party assessor. However, the order does impose a major requirement on him. Facebook’s CEO must certify quarterly to the FTC that the company’s privacy program complies with the order. A false certification could trigger civil or even criminal penalties.

How much access will the FTC have to Facebook’s privacy decisions? An unprecedented amount. The order gives the FTC unparalleled access to Facebook’s decision-making. Upon request, the FTC will get written documentation of every privacy decision Facebook makes and copies of the third-party assessor’s reports. (Remember that the FTC has to approve who gets hired as the assessor.) The order also includes tools that slice through any red tape that could have hindered the FTC’s ability to get records, conduct interviews, or take other steps to monitor Facebook’s compliance.

The goal of the FTC’s settlement is the creation of a new culture at Facebook where the company finally lives up to the privacy promises it has made to the millions of American consumers who use its platform.