As previously reported on July 12, 2019, Facebook will pay a $5 billion penalty to the Federal Trade Commission to resolve a privacy probe into whether Facebook violated a prior FTC consent decree requiring the company to better protect user privacy. The $5 billion penalty is the largest imposed on any company for violating consumers’ privacy – nearly 20 times the largest privacy or data security penalty to date.

In addition to the penalty, the settlement order, finalized by the U.S. Department of Justice and announced by the FTC on July 24, establishes new restrictions on Facebook’s business operations, including an unprecedented corporate governance structure and new tools for the FTC to monitor Facebook. A new independent privacy committee of Facebook’s board of directors will end CEO Mark Zuckerberg’s authority over privacy decisions. This committee is intended to improve Facebook’s accountability and transparency, and will have oversight over Facebook’s new privacy program. The privacy program requires the designation of privacy compliance officers and submission to the FTC of quarterly certifications that verify the company is in compliance with the order.

As part of the privacy program, which also covers WhatsApp and Instagram, Facebook must conduct and document a privacy review of every new or modified product, service, or practice before it is implemented. The order also requires Facebook to document security incidents when data of 500 or more users has been compromised. This documentation must be provided to the FTC and a third-party assessor within 30 days of incident discovery.

A FTC-approved third-party assessor will evaluate the effectiveness of Facebook’s privacy program, identify any gaps, and report to the independent privacy committee each quarter. The assessor’s biennial assessments of the privacy program must be based on independent fact-gathering and must not rely primarily on assertions made by Facebook management. Facebook is prohibited from making any misrepresentations to the assessor. Under the order, these assessments will continue for a period of 20 years.

The order also imposes the following requirements:

  • Facebook must exercise greater oversight over third-party apps, which includes terminating app developers that fail to certify compliance with Facebook’s platform policies or fail to justify their need for specific user data;
  • Facebook is prohibited from using telephone numbers collected to enable a security feature (e.g., two-factor authentication) for advertising;
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology and obtain user consent prior to using this technology in a manner that exceeds its previous disclosures to users;
  • Facebook must establish, implement, and maintain a comprehensive data security program;
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
  • Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.