• Marketing Land
  • Sections
    • CMO
    • Social
    • SEM
    • SEO
    • Analytics
    • Display
    • Retail
    • MarTech
    • Resources
    • More
    • Home
  • Marketing Land
  • CMO
  • Social
  • SEM
  • SEO
  • Analytics
  • Display
  • Retail
  • MarTech
  • Resources
  • More
  • SUBSCRIBE

Marketing Land

Marketing Land
  • CMO
  • Social
  • SEM
  • SEO
  • Analytics
  • Display
  • Retail
  • MarTech
  • Resources
  • More
  • Home
  • Newsletters
  • Home

FTC settlement with Facebook imposes tough new privacy rules, including personal liability for CEO Zuckerberg if violated

There are lots of new privacy requirements, which Zuckerberg says he welcomes and others say don't go far enough.

Greg Sterling on July 24, 2019 at 12:06 pm
  • More

Facebook critics were grousing that $5 billion was too little to pay for the company’s alleged repeated violations of user privacy, in contravention of an earlier FTC consent decree. Indeed, the financial penalties could have been a great deal stronger. But we now know the settlement with the FTC comes with a range of strict new privacy requirements that impose substantial new compliance burdens on Facebook.

There are still some critics complaining that even the new privacy rules still don’t go far enough to place “meaningful limits” on the collection of personal data.

Changing the privacy culture of Facebook. Mindful of criticism of the monetary settlement, FTC Chairman Joe Simons said in a press release, “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”

So what must Facebook now do? A lot.

Independent board privacy committee. There will be a new independent privacy committee at the board level, “removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy.” Members of the committee cannot be fired by Zuckerberg but only by a supermajority of the board.

In addition, Facebook will be required to appoint privacy compliance officers, who must certify on a quarterly basis that Facebook is in compliance with the FTC mandated program and will be personally subject to civil and criminal liability for any false representations. These compliance officers can only be hired and fired by the board’s privacy committee and not by any executive at Facebook including Zuckerberg.

Personal liability for Mark. Mark Zuckerberg must also sign off on the quarterly FTC privacy reports. He faces potential personal liability for any false statements or misrepresentations. (One question going forward will be how “material” must such misrepresentations be to trigger liability?)

An independent assessor, accountable to the FTC and the board’s privacy committee, will be tapped to review the state of Facebook’s privacy program every two years — for 20 years. That assessment cannot rely “primarily” on Facebook management’s compliance statements. It also appears that the assessor and FTC can use what amounts to legal civil discovery tools to gain information to assess compliance during that biennial review process.

These rules equally extend to Instagram and WhatsApp.

New product review and third-party oversight. Facebook will also be required to conduct a compliance review of “every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy.” And when privacy events that compromise the data of more than 500 users occur, Facebook must document and submit them to the FTC and its privacy assessor within 30 days.

Additional new requirements include:

  • Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
  • Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
  • Facebook must establish, implement, and maintain a comprehensive data security program;
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
  • Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

Speaking of third parties, Facebook today acknowledged that despite shutting down sharing of Facebook-friends data last year, some partners still had access due a bug in Facebook’s codebase. Microsoft and Sony were able to continue to access to Facebook friends’ data but that has now been corrected according to the company.

Zuckerberg says he supports the new rules. Mark Zuckerberg issued a statement in which he said, “I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.” He added that the company’s next focus “is to build privacy protections as strong as the best services we provide. I’m committed to doing this well and delivering the best private social platform for our community.”

Why we should care. Say what you want about the $5 billion penalty, but the new privacy regimen that Facebook must comply with appears very strict. That’s reflected most obviously in the personal liability that Mark Zuckerberg and the company’s new privacy officers will face for false statements or misrepresentations to the FTC. And the third-party app policing rules are designed to deter and prevent future Cambridge Analytica-style data harvesting.

There are also some provisions of the new rules that could affect Facebook’s access to data for ad purposes, including limitations around the use of phone numbers and third party passwords.


Opinions expressed in this article are those of the guest author and not necessarily Marketing Land. Staff authors are listed here.



About The Author

Greg Sterling
Greg Sterling is a Contributing Editor to Search Engine Land, a member of the programming team for SMX events and the VP, Market Insights at Uberall.

Related Topics

FacebookFacebook: Business IssuesFacebook: PrivacyLegal: Privacy

We're listening.

Have something to say about this article? Share it with us on Facebook, Twitter or our LinkedIn Group.

Get the daily newsletter digital marketers rely on.

Processing...Please wait.

See terms.

ATTEND OUR EVENTS

Next Event: Sept. 14-15, 2021

Available On-Demand: March 2021

Available On-Demand: October 2020

×

Attend MarTech - Click Here


Learn More About Our MarTech Events

April 13, 2021: SMX Create

May 18-19, 2021: SMX London

June 8-9, 2021: SMX Paris

June 15-16, 2021: SMX Advanced

June 21-22, 2021: SMX Advanced Europe

August 17, 2021: SMX Convert

November 9-10, 2021: SMX Next

December 14, 2021: SMX Code

Available On-Demand: SMX

Available On-Demand: SMX Report

×


Learn More About Our SMX Events

White Papers

  • Gartner Magic Quadrant for Digital Experience Platforms
  • Selecting a Customer Data Platform For Your Organization: The 2020 Gartner Market Guide
  • The Complete Guide to Web Core Vitals
  • The New Era of Automation in SEO
  • Nielsen Annual Marketing Report: Era of Adaptation
See More Whitepapers

Webinars

  • Drive Customer Engagement with the Power of Personalization
  • 7 Use Cases That Prove Why You Should Implement DAM
  • Accelerate Your SEO & Content Marketing Program with 4 Key Milestones
See More Webinars

Research Reports

  • Local Marketing Solutions for Multi-Location Businesses
  • Enterprise Digital Asset Management Platforms
  • Identity Resolution Platforms
  • Customer Data Platforms
  • B2B Marketing Automation Platforms
  • Call Analytics Platforms
See More Research

Attend SMX For Only $149

h
Receive daily marketing news & analysis.

Channels

  • MarTech
  • CMO
  • Social
  • SEM
  • SEO
  • Mobile
  • Analytics
  • Retail
  • Display

Our Events

  • MarTech
  • SMX

Resources

  • White Papers
  • Research
  • Webinars

About

  • About Us
  • Contact
  • Privacy
  • Marketing Opportunities
  • Staff

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • Newsletters
  • RSS
  • Youtube

© 2021 Third Door Media, Inc. All rights reserved.