The Federal Trade Commission announced its settlement with Facebook on the same day that Robert Mueller testified before the House Judiciary Committee. While this may have been calculated to take Facebook off the front page, it permitted observers to note that the Mueller investigation and the Facebook complaint have origins in the same stew: Cambridge Analytica and Russian interference in American elections. Not by coincidence, the FTC filed a complaint against Cambridge Analytica on the same day.

Facebook first ran afoul of the FTC in 2012 when the commission accused it of misleading its users about its privacy policies. Most concerning to the FTC was that, unbeknownst to Facebook’s customers, users who “friended” anyone were exposing not only their own personal data but that of their friends to third party developers of apps – such as dating apps – that were able to harvest the data through their relationship with Facebook.

In a 2012 consent decree, Facebook agreed not to misrepresent the extent to which consumers could control the privacy of their information, the steps that they could take to implement such controls, and the extent to which Facebook makes user information accessible to third parties.

The 2019 Complaint. In its complaint against Facebook filed July 24, 2019, the FTC laid out in great detail how extensively Facebook had failed to honor its 2012 commitments. Central to the FTC’s filing was the extent to which third-party developers continued to have access to data concerning “friends” of users, and how convoluted were the means by which those friends could prevent third-party access to their data.

The FTC complaint traced several changes that Facebook made to its privacy policy and settings since the 2012 consent order, but pointed out how deceptive Facebook’s public announcements regarding these changes were. The FTC alleged, for example, that Facebook made distinctions between apps that generated large amounts of revenue for Facebook and those that did not. The lucrative apps continued to have access to friend data while the less profitable were shut out.

Further upsetting to the FTC, Facebook would ask users for personal data, such as telephone numbers, as part of a two-factor authentication security process – and then provide the numbers to third parties who would use them for advertising purposes.

In contrast to its usual practice, the FTC filed its complaint and announced Facebook’s consent decree on the same day.

The New Consent Decree. The FTC consent decree to which Facebook has now agreed goes far beyond the $5 billion penalty that has been in the headlines, indeed far beyond anything that the FTC has done before. It starts at the top.

Facebook must amend its certificate of incorporation to provide for a privacy committee consisting of directors who are not officers of the company. These directors cannot be removed from their roles except for cause and by a vote of holders of two-thirds of the outstanding shares of Facebook. The privacy committee will have the sole authority to recommend additions to or subtractions from the committee.

The privacy committee is charged with reviewing the company’s adherence to the consent order, which will be measured regularly by an independent third party assessor selected by the company and approved by the FTC. The committee’s meetings with the assessor cannot be attended by Facebook management. Assessments must be undertaken within 180 days of the date of the consent order and every two years thereafter for 20 years.

The assessor may not base its conclusions on assertions of Facebook management. Rather, it must undertake an independent review of the company’s performance. The company, meanwhile, may not mislead the assessor.

The consent order also requires Facebook to adopt a new privacy program and to monitor its compliance with its terms. The company must appoint a chief privacy officer and ensure that every employee receives privacy training annually. The privacy policy must, among other things, establish a “need to know” basis that limits employee access to user data.

Facebook is specifically barred from asking for login credentials for third-party apps such as LinkedIn as part of its authentication or account creation process. Facebook passwords must be encrypted both at rest and in transit.

The company must implement regular automated scans to detect whether user passwords are stored in plain text in its data warehouse and to encrypt or delete them if found in that condition. Facebook may not share telephone numbers provided by users to enable account security features, or use those numbers itself for any other purpose.

Once a user terminates his account with Facebook, the company must promptly delete that user’s information and make it unavailable to third parties. Any content previously created by that user must be deleted within 120 days.

Facebook must also delete all of its facial recognition templates within 90 days unless the user whose face has been digitized explicitly consents otherwise after having been given clear disclosures concerning the use that Facebook may make of that template.

Facebook may not share information about a user with third parties if that sharing exceeds privacy settings previously chosen by the user unless Facebook gives the user clear disclosures concerning the categories of data that may be shared, the identity or nature of the third party with which the data may be shared and the fact that the proposed sharing exceeds the user’s privacy setting. After making those disclosures, Facebook must obtain the user’s affirmative consent to such sharing.

New products being introduced must be evaluated from a privacy perspective, with such evaluations being provided to the assessor, the privacy committee and, upon request, to the FTC. Vendors with access to personal data stored by Facebook must certify annually their compliance with Facebook’s privacy rules.

All of these requirements must be included in the internal privacy policy of Facebook. Compliance must be measured by the independent assessor and reported regularly to the privacy committee. Regular certification of such compliance must also be made personally by Mark Zuckerberg (or his successor as CEO) and the chief privacy officer.

Lessons to be Learned. While there was disagreement as to whether a fine of $5 billion was enough (two of the five FTC commissioners dissented), there can be no mistaking that the terms of this consent order are more exacting than any previous privacy-related consent order. The FTC has, without saying so, adopted the “right to be forgotten” that is now the law in Europe and that will soon be the law in California.

Since the FTC has no broad rule-making authority in the realm of privacy, this rule is for now specific to Facebook. It may be a harbinger of consent orders to come and, quite possibly, of national legislation that may be engendered by the scramble among the states to catch up to what California is achieving with its Consumer Privacy Protection Act, which we have covered previously.