Over the last couple of years, the words Facebook and privacy have not seemed to exist in a positive headline. The big tech company has attempted to gain the public’s trust with the use of our data, but has repeatedly demonstrated its inability thus far to be able to prevent privacy and data breaches.
In July, the Federal Trade Commission (FTC) and Facebook reached a settlement of $5 billion, constituting the largest settlement for a privacy breach in history. In fact, it is one of the largest penalties that any company in the United States has received for any violation. Prior to this settlement, the FTC’s largest settlement was only $22.5 million with Google in 2012. In addition to the fine, the FTC has now added new restrictions on how tech giants can maintain and handle user data.
The settlement requires limitations on Mark Zuckerberg’s decision-making, mandating Facebook to create an “independent privacy committee” on the board of directors. Zuckerberg will also be required to submit reports to the FTC on quarterly and annual bases. The goal is ultimately to “change Facebook’s entire privacy culture.”
What caused this probe?
For years, the FTC has been after Facebook, trying to determine whether Facebook breached a previous agreement over user privacy following the Cambridge Analytica data breach, allowing Cambridge Analytica to politically target users by having access to personal data. This was a flagrant violation of the FTC’s 2012 order, allowing “pay-for-play data harvesting by developers.”
Over the last year specifically, the FTC investigation found that Facebook repeatedly used “deceptive disclosures and account settings to lure users into sharing personal information, undermining their actual privacy preferences.”
Critics of the settlement believe that this will have no meaningful impact on the structure of the tech giant and the use of consumers’ data. Financial incentives drive Facebook and other tech giants to sell consumers’ data, and the settlement does not attempt to deter the company from such incentives.
The SEC additionally announced that Facebook would be reaching a settlement with them, including a $100 million fine with respect to claims that it “misled investors about the misuse of customer data.”
Commissioner Noah Phillips stated, “The price of privacy violations just went up.” However, while for other companies this sets an example for what the fines may be, it does not distinctively state which acts would be violations, as Facebook’s violations were specific to their business model.
The pattern seen in Facebook was that the tech giant let users believe they had turned off certain types of data sharing usages, when the data was actually shared anyway, if their friend(s) didn’t turn off the same setting. This loophole was never closed fully, still allowing access to “whitelisted” developers.
Further, Facebook requested users’ phone numbers, stating it was for security purposes, when in fact it was for advertising purposes. Another violation had to do with the facial recognition technology, where they told users they would have to opt into such use, when in reality “approximately 60 million users were subjected to it by default.”
For Big Tech companies, this settlement demonstrates that the FTC will take action for any company that fails to protect consumer data. Zuckerberg himself states that he hopes the mandated changes, i.e. restructuring the board and decision-making authority along with the reporting requirements, will “set a completely new standard for our industry.” However, for companies as large as such, these fines do minimal damage.
The Wall Street Journal recently reported that while this $5 billion fine might seem extremely large, the penalty is only equivalent to “about 16% of the company’s 2018 operating expenses, the day-to-day cost of running the business.” In other words, it only equates to about 59 days of “ordinary expenses such as research and development spending, marketing and administrative costs.” The $100 million fine mentioned above from the SEC, only amounts to just about over one single day of operating expenses.
Again, while this was a monumental settlement, the U.S. lacks a single, comprehensive federal privacy law regarding the use, collection, and sale of consumer information. It is difficult for companies to understand, on a federal level, how to handle users’ data. Over the next decade, this will likely change, as more federal regulations and legislation develop.
While there are many guidelines on the federal level, which governmental agencies and industry groups have developed, these guidelines lack the force of law. The FTC oversees the Financial Services Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act (GLBA)), which is the main regulator of privacy for financial information.
The California Consumer Privacy Act of 2018
Nonetheless, it is important for companies to recognize state legislation that might affect their business practices. On a state level, regulators have taken the necessary next steps to protect consumers’ privacy. California has been a pioneer, providing the most protections through the California Consumer Privacy Act of 2018 (CCPA). This regulatory scheme attempts to emulate the EU’s GDPR, which grants extensive protections for consumers.
The CCPA will go into effect on January 1, 2010. This will affect any business that stores or collects data from California residents. This Act gives California the ability to control how
consumers’ information is being used, and mandates that businesses are more transparent in handling such information.
The CCPA gives the consumer ownership to protect his/her right "to tell a business not to share or sell your personal information,” allows the consumer to “gain control over the personal information that is collected about you,” and holds “business responsible for safeguarding your personal information.”
Each company that would fall under the category of having to comply with the Act should create a compliance program. If a GDPR compliance program has already been created, some of the processes may be applicable to the California Consumer Privacy Act.
First, the company should establish a training program for employees to ensure that anyone who is handling consumers’ information is informed about the requirements.
1. Right to know ALL data collected by a business on you, twice a year, free of charge.
2. Right to say NO to the sale of your information.
3. Information Security: Right to use companies who collected your data, where that data was stolen or disclosed pursuant to an unauthorized data breach, if the company was careless or negligent about how it protected your data (i.e. if the data was unencrypted, un-redacted, or the company didn’t have reasonable security policies and procedures in place to protect it).
4. Right to DELETE data you have posted.
5. Right to not be discriminated against if you tell a company not to sell your personal information.
6. Right to be informed of what categories of data will be collected about you prior to its collection/at point of collection, and to be informed of any changes to this collection.
7. Mandated opt-in before sale of children’s information (under the age of 16).
8. Right to know the categories of third parties with whom your data is shared.
9. Right to know the categories of sources of information from whom your data was acquired.
10. Right to know the business or commercial purpose of collecting your information.
This information can all be found here! As stated on the Californians for Consumer Privacy website, “Enforcement is via a private right of action (consumer lawsuits) for data breaches, with the rest of the act subject to enforcement by the California Attorney General, at up to $2,500 per violation.
As January 1, 2020 is quickly approaching, it is essential that companies which intend to collect information on California residents make themselves aware of the new regulatory scheme that will be in place and ensure that they are complying with these new protections.