By: Josh Mooney and Gwenn Barney
Allegations that Facebook allowed a data analytics company to mine the information of at least 50 million Americans have led to the opening of a Federal Trade Commission (FTC) investigation as to whether the company breached its 2011 consent decree with the agency by transferring personal data to Cambridge Analytica without the users’ prior knowledge and affirmative consent.
In November 2011, Facebook entered into a consent decree with the FTC, settling charges brought by the agency that the company deceived consumers by telling them they could keep their personal information private when, in fact, it repeatedly allowed the information to be shared and made public. The consent decree required Facebook to undertake several steps to ensure that the company complies with its disclosures regarding the sharing of personal information, including “giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.” Specifically, the consent decree mandated that Facebook, “prior to the sharing of a user’s nonpublic user information” with any third party that materially exceeds the privacy restrictions set in such user’s settings, must (A) “clearly and prominently disclose to the user, separate and apart from any ‘privacy policy,’ ‘data use policy,’ ‘statement of rights and responsibilities’ page, or other similar document:
(1) the categories of nonpublic user information that will be disclosed to such third parties, (2) the identity or specific categories of such third parties, and (3) that such sharing exceeds the restrictions imposed by the privacy setting(s) in effect for the user.”
The decree also ordered Facebook to “obtain the user’s affirmative express consent,” prior to any such sharing. Id.
The consent decree prohibited Facebook from making what the FTC deemed “any further deceptive privacy claims,” and required the company to obtain users’ approval before it altered the manner in which it shares user data. According to the FTC, the consent decree required the company to:
- stop making misrepresentations about the privacy or security of consumers’ personal information;
- obtain users’ affirmative express consent before enacting changes that override their privacy preferences;
- prevent third parties from accessing a user’s material more than 30 days after the user has deleted his or her account;
- establish and implement a comprehensive privacy program and procedures designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- obtain biannual independent, third-party audits for the next 20 years certifying that it has a privacy program in place that meets or exceeds the requirements of the consent decree.
However, beginning in 2014, Facebook reportedly transferred nonpublic user information of approximately 50 million users to Cambridge Analytica. The data transfer allegedly was made without the users’ prior “clear and prominent disclosure” or “affirmative express consent.”
If the FTC determines that Facebook violated the consent decree, such a determination could result in fines of $40,000 a day per violation, which could add up to millions of dollars. Facebook has already suffered monetarily.
The FTC’s investigation was only the first. State Attorneys General offices in New York, Massachusetts, and Connecticut are opening investigations over Facebook’s transfer of the nonpublic user information. Facebook executives are expected to submit to questioning from congressional committees, including House and Senate judiciary committees, commerce committees, and intelligence committees. In the face of these investigations, Facebook’s stock has declined, and the company now faces derivative lawsuits brought by shareholders.