Print
E-MailMarshall L. Miller is of counsel and Jeohn Salone Favors is an associate at Wachtell, Lipton, Rosen & Katz. This post is based on their Wachtell Lipton memorandum.
In a settlement announced by the Federal Trade Commission [July 24, 2019], Facebook agreed to a $5 billion penalty and extensive remedial requirements to resolve an investigation into violations of a 2012 consent decree related to its data privacy practices. On the same day, the Securities and Exchange Commission announced a related $100 million resolution of charges that Facebook made misleading public disclosures in connection with data privacy risks.
The FTC resolution includes not only the largest data privacy penalty in the agency’s history, but a remedial order that is broad and long-lived, requiring Facebook to restructure its privacy operations at the compliance, executive management, and board of directors levels. Though this high-profile action constitutes, by orders of magnitude, the FTC’s most aggressive privacy enforcement effort to date, it has drawn substantial criticism from some quarters for not going far enough. The Commission’s 3-2 vote in favor of the resolution, split along party lines, reflects its controversial nature.
As part of the resolution, which followed a year-long investigation, the FTC filed a complaint alleging that Facebook “subverted users’ privacy choices to serve its own business interests,” through false promises regarding users’ ability to control privacy settings, misrepresentations regarding the sharing of users’ personal data with third parties, and deceptive practices as to the collection and use of users’ telephone numbers. These actions violated the terms of the 2012 consent decree, which barred Facebook from making deceptive privacy claims and required a reasonable program to protect user privacy.
The monetary penalty of $5 billion dwarfs all prior fines in this area, including the FTC’s $100 million penalty in 2016, as well as the largest international data privacy penalty to date, a £183 million fine recently imposed by U.K. authorities. Meanwhile, the remedial order imposes expansive compliance obligations and vigorous accountability and reporting requirements, including the establishment of a board privacy committee made up of independent directors, designation of compliance officers accountable to that committee, a third-party compliance assessor with enhanced authority and independence, heightened privacy requirements for sensitive applications and activities, and quarterly privacy certifications to the FTC, including from the CEO. Given the order’s 20-year duration, the FTC will exert influence over Facebook’s privacy practices—and, at least by extension, the tech industry—for decades to come.
But aspects of the resolution have prompted backlash from the dissenting commissioners and critics in Congress. For example, the settlement order applies only to Facebook as a company and releases claims against individual officers, though media reports had suggested the agency was considering holding executives personally responsible for the company’s privacy failures. And in the view of the dissenting commissioners, the settlement does not impose sufficiently meaningful limits on Facebook’s practices related to the collection, use, and sharing of customer data.
Meanwhile, the SEC penalized Facebook for making misleading public disclosures by presenting the risk of misuse of user data as hypothetical, even though numerous employees within the company knew that such misuse had, in fact, occurred. The SEC further found that Facebook did not maintain disclosure controls or procedures to ensure the accuracy of material cyber- and privacy-related risk disclosures, as required of public companies.
With state legislatures and attorneys general ramping up enforcement and European data protection authorities imposing hefty penalties for violations of the EU’s General Data Protection Regulation (discussed here and here), today’s actions are a further reminder to expect vigorous regulatory activity in the cyber and data privacy realm in the months and years ahead. The FTC action—and the controversy it has generated—is also sure to prompt close scrutiny from Congress, as it weighs whether to increase the agency’s reach and authority as part of a possible overhaul of federal data privacy law.
