FTC, Facebook, and Future Consequences for Privacy Violations

Written By Hosch & Morris

Privacy Plus+

Privacy, Technology & Perspective

FTC, Facebook, and Future Consequences for Privacy Violations. This week, as most of the public was focused was on former special counsel Robert Mueller’s testimony before Congress, the Federal Trade Commission (“FTC”) formally announced its $5 billion settlement with Facebook.

A link to the FTC’s Facebook docket follows:

https://www.ftc.gov/enforcement/cases-proceedings/092-3184/facebook-inc

The FTC’s proposed order against Facebook is attached here:

https://www.ftc.gov/system/files/documents/cases/182_3109_facebook_order_filed_7-24-19.pdf

Anecdotally, what public attention-span was left after the Mueller testimony seems to have been focused on the $5 billion fine. Critics say Facebook “got off easy” and the fine should have been a lot higher. (Just last quarter, Facebook posted over $15 billion in revenue.) Defenders say a billion dollars is a lot of money, five times a billion dollars is five times more than that, and they remember the saying about the federal budget apocryphally linked with the late Sen. Everett Dirksen: “…a billion dollars here, a billion dollars there, and pretty soon you’re talking about real money.”

But we think the greatest significance may be the one that has been least discussed: the affirmative steps Facebook must now take to address privacy and respect it – and the consequences that may follow if these steps are not taken.

The proposed order requires:

  • + The establishment and maintenance of a comprehensive privacy program in connection with any product, service, or sharing of Covered Information (“Privacy Program”), including a documented risk assessment, documented safeguards, training, and a description of the procedures adopted for implementing and monitoring the Privacy Program;

  • + The appointment of a qualified employee or employees to coordinate and be responsible for the Privacy Program (“Designated Compliance Officer(s)”);

  • + Annual self-certifications by individuals or entities that use or receive Covered Information obtained by or on behalf of Facebooks absent a User-initiated transfer of such information;

  • + The establishment of a “Independent Privacy Committee” on the company’s Board of Directors; and

  • + Certain quarterly certifications by the Principal Executive Officer (Zuckerberg or his successor) and the Designated Compliance Officer(s).

Not all of these requirements are equally significant, of course. (We are accustomed to FTC-mandated Privacy Programs). But take a closer look: the Principal Executive Officer (and other specific individuals) are personally responsible for compliance with the Privacy Program, and for disclosing materials noncompliance.

Almost quietly – nearly lost among the sturm und drang of a crowded news cycle – one of the most prominent CEOs anywhere in business has now become personally accountable for privacy protection.

In effect, the most striking provision of the Sarbanes-Oxley Act (“SOX”) – that is, making a public company’s most senior executives of a public company personally responsible for the company’s effective attention to material issues – has been introduced into the privacy sphere. And it has been introduced not by congressional act, but by the FTC.

SOX was enacted in the wake of the financial meltdown of 2008-2009. Because CFOs themselves would be personally responsible for the accuracy of their public companies’ financial statements, company accountants, outside auditors, and everyone else down and across the reporting stream knew there would be nowhere for them to hide either. Overnight, the auditing process became more stringent. Every word in routine management representations to auditors was now checked and justified. Every process was re-examined. Conferences that had been professional and cordial now became grim. Maybe it was overkill; maybe it could have been done better; but immediately, things changed.

Similarly here, where a CEO is personally accountable for a company’s privacy program, it seems fair to say that the same individual may be held personally accountable for failure to comply. We wonder if the Facebook order will have this effect.

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Previous

The Intersection of Privacy and Politics
Next

First, Second and Third-Order Inferences