FTC settlement with Facebook imposes tough new privacy rules, including personal liability for CEO Zuckerberg if violated

Facebook critics were grousing that $5 billion was too little to pay for the company’s alleged repeated violations of user privacy, in contravention of an earlier FTC consent decree. Indeed, the financial penalties could have been a great deal stronger. But we now know the settlement with the FTC comes with a range of strict new privacy requirements that impose substantial new compliance burdens on Facebook.

There are still some critics complaining that even the new privacy rules still don’t go far enough to place “meaningful limits” on the collection of personal data.

Changing the privacy culture of Facebook. Mindful of criticism of the monetary settlement, FTC Chairman Joe Simons said in a press release, “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”

So what must Facebook now do? A lot.

Independent board privacy committee. There will be a new independent privacy committee at the board level, “removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy.” Members of the committee cannot be fired by Zuckerberg but only by a supermajority of the board.

In addition, Facebook will be required to appoint privacy compliance officers, who must certify on a quarterly basis that Facebook is in compliance with the FTC mandated program and will be personally subject to civil and criminal liability for any false representations. These compliance officers can only be hired and fired by the board’s privacy committee and not by any executive at Facebook including Zuckerberg.

Personal liability for Mark. Mark Zuckerberg must also sign off on the quarterly FTC privacy reports. He faces potential personal liability for any false statements or misrepresentations. (One question going forward will be how “material” must such misrepresentations be to trigger liability?)

An independent assessor, accountable to the FTC and the board’s privacy committee, will be tapped to review the state of Facebook’s privacy program every two years — for 20 years. That assessment cannot rely “primarily” on Facebook management’s compliance statements. It also appears that the assessor and FTC can use what amounts to legal civil discovery tools to gain information to assess compliance during that biennial review process.

These rules equally extend to Instagram and WhatsApp.

New product review and third-party oversight. Facebook will also be required to conduct a compliance review of “every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy.” And when privacy events that compromise the data of more than 500 users occur, Facebook must document and submit them to the FTC and its privacy assessor within 30 days.

Additional new requirements include:

• Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
• Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
• Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
• Facebook must establish, implement, and maintain a comprehensive data security program;
• Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
• Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

Speaking of third parties, Facebook today acknowledged that despite shutting down sharing of Facebook-friends data last year, some partners still had access due a bug in Facebook’s codebase. Microsoft and Sony were able to continue to access to Facebook friends’ data but that has now been corrected according to the company.

Zuckerberg says he supports the new rules. Mark Zuckerberg issued a statement in which he said, “I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.” He added that the company’s next focus “is to build privacy protections as strong as the best services we provide. I’m committed to doing this well and delivering the best private social platform for our community.”

Why we should care. Say what you want about the $5 billion penalty, but the new privacy regimen that Facebook must comply with appears very strict. That’s reflected most obviously in the personal liability that Mark Zuckerberg and the company’s new privacy officers will face for false statements or misrepresentations to the FTC. And the third-party app policing rules are designed to deter and prevent future Cambridge Analytica-style data harvesting.

There are also some provisions of the new rules that could affect Facebook’s access to data for ad purposes, including limitations around the use of phone numbers and third party passwords.