April 02, 2018 Practice Points

Facebook’s Data Privacy Practices Under FTC Investigation as a Result of Cambridge Analytica Controversy

Important lessons for businesses on privacy

by Kevin L. Coy and Bradford J. Kelley

Against the backdrop of the growing controversy surrounding allegations that Facebook allowed a company to mine the personal information of approximately 50 million Facebook users, the Federal Trade Commission (FTC) recently confirmed that it is investigating Facebook’s data privacy practices. The announcement follows the backlash arising from reports alleging that Cambridge Analytica, a political ad and consultancy firm, harvested massive amounts of data on Facebook users without their knowledge or consent. Consequently, Facebook is facing an increasing number of investigations from Congress, state attorneys general, international data protection authorities, and now the FTC. In the March 26, 2018, statement, acting director of the FTC’s Bureau of Consumer Protection, Tom Pahl, explains, “the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.” While not unprecedented, the FTC’s statement is unusual in that the agency does not normally comment on non-public investigations.

The FTC statement indicates that the agency is investigating whether Facebook failed to honor its privacy promises, including compliance with its commitment under the Privacy Shield program for transferring personal data from the European Union to the United States. The FTC is also investigating whether Facebook engaged in unfair acts that caused substantial injury to consumers in violation of the FTC Act. More specifically, the FTC investigation will focus on whether Facebook violated a 2011 consent order with the FTC to protect users’ privacy. The order requires Facebook to notify users and get express permission before sharing their personal information beyond the limits of their established privacy settings.

Facebook could face serious monetary penalties if the FTC finds that Facebook violated the consent order. Each violation of the 2011 agreement could result in a penalty of up to $41,484 per violation, which could add up quickly given the number of consumers involved. Moreover, if the FTC finds that Facebook acted deceptively and violated the FTC Act, the FTC could demand operational changes.

The matter may ultimately be resolved by President Trump’s FTC nominees currently awaiting Senate confirmation. In late February of 2018, the Senate Committee on Commerce, Science and Transportation voted to advance President Trump’s four nominees for seats on the FTC, but the nominees are still awaiting full Senate confirmation and it is unclear when this will occur. Because the Facebook investigation will likely take a substantial amount of time to complete and the two current commissioners plan to leave the agency when their successors are confirmed, the incoming commissioners will probably be the final arbiters of any decision involving whether to bring an action against Facebook or how to proceed.

The FTC’s announcement was released on the same day that a bipartisan group of state attorneys general sent a letter to Facebook CEO Mark Zuckerberg, demanding the company provide answers to a series of questions about its policies and practices for handling information about its users. The letter said the attorneys general are “profoundly concerned” regarding media reports that third parties were able to obtain Facebook user information without the users’ knowledge or consent. Meanwhile, congressional members in both parties have called for hearings and international data protection authorities are demanding to know more about the company’s privacy practices.

Ultimately, the FTC’s announcement, along with the letter from the state attorneys general, confirms that Facebook is likely to face serious investigations and possible legal actions in the future as well as multiple lawsuits that have already been filed. Businesses can learn some important lessons from this incident by ensuring they adequately protect the privacy and confidentiality of consumers’ information, particularly with respect to third party sharing. To help achieve this, businesses should establish and implement comprehensive privacy programs and procedures designed to address privacy risks.

Kevin L. Coy is a partner and Bradford J. Kelley is an associate in Arnall Golden Gregory LLP’s Washington, D.C., office.

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).