On July 24, 2019, the FTC reached a record $5 billion settlement with a major social media platform over alleged violations of the FTC Act and a 2012 consent order which prohibited the company from misleading consumers regarding the company’s data sharing practices and consumers’ ability to control the privacy of their personal information.
According to the FTC’s Complaint, the 2012 consent order arose from an FTC investigation into the company’s practice of sharing with third parties the data of app users and app users’ “friends,” even if those friends had not installed the app themselves. The 2012 consent order sought to rectify what the FTC considered a deceptive practice by, among other things, requiring the company to post a disclaimer to its privacy settings page warning users of this data sharing practice. The company allegedly removed the disclaimer four months after the consent order was finalized and continued to engage in the same deceptive data sharing practices.
Furthermore, the FTC alleges, the company violated a requirement of the 2012 consent order to maintain a reasonable privacy program when it failed to properly vet third-party developers before granting them access to consumer data and disparately enforced its policies, terms, and conditions.
Additionally, the Complaint claims the company violated the FTC Act by failing to disclose that telephone numbers provided by users for account security would also be used for advertising and by misrepresenting that the company’s facial recognition technology would only be used if users opt in to the technology when, in reality, users with an older version of the technology would instead need to opt out.
In addition to the unprecedented $5 billion civil money penalty, some of the other provisions contained in the consent order include the following:
- a prohibition on misrepresenting consumers in regard to the company’s privacy practices and use of consumer data;
- changes to the company’s data sharing policy, including making clear and conspicuous disclosures to consumers and obtaining their express consent prior to releasing nonpublic user information;
- a requirement that the company delete certain previously shared consumer data from its servers and prevent third parties from accessing it in the future;
- a prohibition on the sale of consumers’ telephone numbers when the user has designated the use of their telephone number only for account security purposes;
- an immediate halt to any further development of facial recognition templates and a mandate to delete any such existing templates;
- a requirement that the company implement and maintain a comprehensive information security program as well as a privacy program; and
- ongoing compliance monitoring.
The consent order also notes that the company has neither admitted nor denied any of the allegations in the Complaint. Both parties have waived any right to an appeal.