On July 24, 2019, in a development that underscores the heightened significance of privacy-related issues, the Federal Trade Commission (FTC) announced that Facebook will pay a record-breaking $5 billion penalty and submit to new restrictions and a modified corporate structure. In a related development, the Securities and Exchange Commission (SEC) also announced that Facebook had agreed to a $100 million settlement to resolve the agency’s allegations that the company misled investors regarding the risk of misuse of Facebook user data. Both agency actions followed the March 2018 revelations data analytics firm Cambridge Analytica had obtained access to user data of millions of Facebook users. The FTC’s July 24, 2019 press release about the $5 billion penalty can be found here. The SEC’s July 24, 2019 press release about the $100 million settlement can be found here.
The FTC Settlement
The massive $5 billion penalty is the largest ever imposed on any company for violating consumers’ privacy. It dwarfs the $230 million fine against British Airways and the $124 million fine against Marriott International that the U.K. Information Commissioner’s Office announced earlier this month for the companies’ alleged violations of the E.U. General Data Protection Regulation (GDPR).
The FTC approved the settlement by a 3-2 vote, with the two Democratic representatives of the Commission voting against the settlement and also filing separately dissenting opinions.
Commissioner Rohit Chopra objected to the settlement in a dissenting opinion in which he contended, among other things, that the settlement does little to change Facebook’s business practices; that the $5 billion penalty, as massive as it is, is less than the company earned from its “illegal conduct”; and that the settlement lets the company “off the hook” for “unspecified violations.” Commission Rebecca Kelly Slaughter filed a separate dissenting opinion, objecting that the negotiated settlement is “insufficient” under applicable statutory factors and that the settlement did not do enough to have a “meaningful disciplining effect.”
Facebook’s payment to the FTC of the $5 billion penalty resolves charges that the company had violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information. Among other things, the agency said in its press release about the penalty that Facebook “repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.” The FTC’s formal complaint against Facebook can be found here.
In order to “prevent Facebook from deceiving its users about privacy in the future,” Facebook agreed to a new 20-year settlement order that overhauls the company’s privacy-related decision making by “boosting the transparency” and holding the company accountable via “overlapping channels of compliance,” including, among other things, creating a privacy committee on the company’s board of directors. The order introduces several new levels of external oversight as well. The order also imposes what the agency called “significant new privacy requirements” including a new “comprehensive data security program,” as well as limitations on use of facial recognition technology and on the company’s use of user information such as phone numbers, passwords, and email addresses.
The SEC Settlement
Facebook’s separate agreement to $100 million settlement with the SEC resolves charges that the company learned as early as 2015 about Cambridge Analytic’s misuse of user data but the company did not change its disclosure to investors about the risk of misuse of user data for over two years. The SEC’s formal complaint against Facebook can be found here
As significant as these regulatory resolutions are, Facebook is hardly out of the woods on privacy-related issues. The company continues to face investigations from European privacy regulators for possible GDPR-related violations. The Cambridge Analytica-related securities class action lawsuit remains pending as well. At least according to this morning’s headlines, the company could be one of the large tech firms under investigation by the U.S. Department of Justice for possible antitrust violations as well.
As I noted a few days ago in connection with the U.K. ICO’s announced proposed fines against British Airways and Marriott International, these Facebook settlements, and in particular the massive FTC settlement, dramatically underscore how significant privacy-related issues now are as a potential source of corporate risk.
To be sure, some may say that Facebook represents a unique privacy risk, given the nature of its platform and its business model. Facebook is indeed a new age media company. But that does not mean that other companies can therefore simply ignore or discount what has happened here. Keep in mind that the recent GDPR fines were awarded against an airline and a hotel company. The fact is that privacy-related issues are now a very big deal for every company and not just for social media juggernauts.
There is one aspect of the FTC’s settlement with Facebook that I think is particularly interesting. The settlement requires the company to set up a separate board committee to focus on and supervise privacy issues. This mechanism was put in place as a remedial measure for a company that the FTC contends violated a prior regulatory settlement agreement. However, in my view, the step provides a significant message about the role of the corporate board in supervising privacy issues. The implication is that it is the board’s responsibility to ensure that privacy issues are managed and controlled appropriately.
Though it is relatively much smaller than the FTC settlement, the SEC settlement is also important in its own way. The SEC’s enforcement action is focused on Facebook’s disclosures to investors about the company’s privacy practices. The action highlights the fact that privacy-related disclosures are significant and the failure to provide appropriate disclosures to investors about privacy practices may represent a violation of the federal securities laws. This enforcement action represents yet another example of the ways in which privacy-related issues potentially can lead to D&O lawsuits.
It is a point that I have made before on this blog, but I happen to believe that going forward privacy may represent one of the most significant areas of potential corporate risk exposure. This risk includes not only the possibility of the massive regulatory fines that the GDPR permits, but it also includes the possibility of follow-on D&O claims, when shareholders claim that company management failed to take appropriate steps to prevent the regulatory fines or that management failed to fully inform investors of the regulatory risks that the company faces.