A day after handing Google the largest fine it has ever handed to a single company, for allegedly deceiving users over privacy, the FTC has settled another privacy matter with Google’s industry rival Facebook, with no fine at all, provided Facebook complies with its regular privacy audits.
The FTC says Facebook must obtain consumers’ consent before sharing their information beyond established privacy settings, following a public comment period on the proposed settlement. Charges that Facebook deceived consumers by telling them they could keep their info on Facebook private, then allowing it to be shared and made public (repeatedly) have now been resolved.
Facebook is required to obtain biennial privacy audits from an independent third party.
The Commission vote to approve the final order was 3-1-1, with Commissioner J. Thomas Rosch dissenting and Commissioner Maureen K. Ohlhausen not participating.
Following is the FTC’s statement in its entirety (authored by Chairman Jon D. Leibowitz and Commissioners Edith Ramirez and Julie Brill):
The final consent order in In re Facebook, Inc. that we approve today advances the privacy interests of the nearly one billion Facebook users around the world by requiring the company to live up to its promises and submit to privacy audits. Notably, Facebook will be subject to civil penalties of up to $16,000 for each violation of the order. We intend to monitor closely Facebook’s compliance with the order and will not hesitate to seek civil penalties for any violations.
We write to address the arguments raised by our colleague, Commissioner Rosch, who opposes final approval of the order. One of his objections relates to the extent to which the order would reach the activities of third-party “apps” downloaded by consumers while using the Facebook platform. The Order broadly prohibits Facebook from misrepresenting in any manner, expressly or by implication, the extent to which it maintains the privacy or security of any information it collects from or about consumers. For a company whose entire business model rests on collecting, maintaining, and sharing people’s information, this prohibition touches on virtually every aspect of Facebook’s operations. Further, the Order sets forth clear examples of how this broad prohibition would apply in connection with apps, by prohibiting Facebook from misrepresenting the extent to which it makes its users’ information accessible to apps; or the steps it takes to verify the privacy or security protections that apps provide.
A statement from Facebook about an app’s conduct may well amount to a promise that Facebook is taking steps to assure the level of privacy or security that the app provides for consumers’ information.
These provisions make clear that Facebook will be liable for conduct by apps that contradicts Facebook’s promises about the privacy or security practices of these apps. Commissioner Rosch also opposes the consent order because it includes a denial by Facebook of the substantive allegations in the Commission’s complaint.
Based on this denial, Commissioner Rosch asserts that the Commission lacks the requisite “reason to believe” that Facebook violated Section 5 of the Federal Trade Commission Act and a basis to conclude that the settlement is in “the interest of the public.”
We strongly disagree with Commissioner Rosch’s view that if the Commission allows a respondent to deny the complaint’s substantive allegations, or use language that is tantamount to a denial, there is no basis for the Commission to conclude that the respondent engaged in unlawful conduct or that the consent is in the public interest. As Commissioner Rosch is aware, an extensive investigation and detailed staff recommendation has given the Commission a strong—not just a reasonable—basis to issue its complaint in this case and to conclude that both the complaint and the resulting settlement are in the public interest. Here, as in all enforcement cases, it is the evidentiary record developed by FTC staff during the course of its investigation, not any ensuing settlement agreement, that forms the basis for action by the Commission. A respondent’s denial of liability in a consent agreement does not diminish staff’s extensive investigation or the ability of the Commission to find a reasonable basis to finalize a settlement or to enforce an order that results from settlement negotiations. Moreover, express denials of liability are consistent with the Commission’s current Rules of Practice.
We view the final consent order in this matter to be a major step forward for consumer privacy and hereby approve it.
While we do not believe that a respondent’s denial of liability is reason to reject a settlement that is in the public interest, we share Commissioner Rosch’s desire to avoid any possible public misimpression that the Commission obtains settlements when it lacks reason to believe that the alleged conduct occurred. We commend Commissioner Rosch for focusing our attention on the issue; going forward, express denials will be strongly disfavored. We also appreciate Commissioner Rosch’s suggestion that consent order language that the respondent “neither admits nor denies” a complaint’s allegations may very well be a more effective way to ensure that there are no misimpressions about the Commission’s process. Accordingly, we will consider in the coming months whether a modification to the Commission Rules of Practice is warranted.
Do you think this is a fair settlement, or did Facebook get off too easy?
Image from All Things D conference