Early last month, the Federal Trade Commission approved a fine of approximately $5 billion against Facebook for violating a 2012 privacy settlement with the agency by deceiving users about their ability to control the privacy of their personally identifiable information (PII). Aside from the financial penalty, the FTC is requiring Facebook to:
- Restructure its handling of user data and show how it maintains user PII, including how it makes data available to third parties.
- Clearly and conspicuously disclose what nonpublic user PII it shares and to which third parties.
- Maintain a comprehensive information security program to secure user PII, as well as appoint a chief privacy officer of product.
- Refrain from creating new facial recognition templates and delete existing templates, unless users grant privilege outside any pre-existing policies.
- Establish an Independent Privacy Committee and conduct initial and biennial assessments of the preceding mandated privacy program, performed by qualified, independent third-party professionals.
The record-breaking fine for Facebook shows the United States is not afraid to punish big tech for mishandling user data and trust. To illustrate how large this fine is, Equifax recently agreed to pay $575 million to the FTC, the Consumer Financial Protection Bureau (CFPB) and all 50 U.S. states — on top of an approximately $625 million fine in the U.K. for its 2017 data breach. Facebook’s FTC fine is more than 316% greater than Equifax’s settlements in both the U.S. and the U.K.
On top of Facebook’s penalties, the head of the FTC has discussed breaking up Facebook by undoing the company’s previous mergers with apps such as Instagram and WhatsApp; the agency has launched an investigation into Facebook to determine whether its acquisitions have thwarted competition and monopolized the market.
As consumer-facing organizations observe the turmoil resulting from Facebook’s data privacy flaws, they should recognize that Facebook is uniquely massive and so its fines and regulatory risks are commensurate. Facebook maintained 2.41 billion monthly active users (MAUs) around the globe in Q2 2019, and that number excludes WhatsApp, Instagram, and Facebook Messenger users. The social media giant has also reportedly amassed $16.9 billion in revenue for the three months ending in June 2019, a 28% increase from the same period in 2018. Nonetheless, other organizations that handle PII must draw four key lessons from Facebook’s missteps so that they do not attract similar unwelcome attention:
- Organizations must identify the intersection where their digital transformation opportunities meet user trust risks, well before going to market with a new offering.
- Consumer PII must be handled as a joint asset — so that companies are able to respond to all stakeholders’ requirements, whether those of business owners or risk leads.
- Enterprises must lean into consent as a business choice wherever possible in order to build trusted digital relationships and widen their options for PII usage.
- To address the newest challenges around data protection, privacy, consent, and trust, organizations can leverage consumer identity and access management (CIAM) platforms.
Consumers entrust organizations with their PII under the assumption it will be respected and protected. However, the protection of consumer PII goes far beyond privacy compliance to trust. Any organization that does not ask how it can continually earn the trust of its consumers is tempting fate and may be asking for severe repercussions from the FTC, lawsuits, penalties under the soon-to-be-enacted California Consumer Privacy Act (CCPA), and even fines under GDPR, if E.U. citizens’ data is affected.
Facebook’s misfortune should be viewed as an opportunity for other companies to review their practices and facilitate internal changes to respect their users’ privacy, instead of exploiting it. If a company demonstrates the value of building trusted digital relationships with its customers, it can obtain a competitive edge and even contribute to greater compliance under data privacy regulations.