Critics of Facebook lamented that $ 5 billion is not enough to pay for repeated violations of users' privacy, in violation of an earlier FTC consent decree. Indeed, the financial penalties could have been much more severe. But we now know that the settlement with the FTC is accompanied by a series of new stringent confidentiality requirements that impose new compliance requirements on Facebook.
Some critics complain that even the new privacy rules are still not being met. far enough to impose "significant limits" on the collection of personal data.
Changing the culture of Facebook's privacy. Anxious to criticize the monetary settlement, FTC President Joe Simons said in a press release: "The magnitude of the $ 5 billion penalty and the total reduction in the number of conduits are unprecedented in the history of the FTC. "This remedy is intended not only to punish future violations, but more importantly, to change Facebook's privacy culture to reduce the risk of ongoing violations. The Commission takes the protection of consumer privacy seriously and will enforce the FTC's orders to the fullest extent permitted by law. "
So what must Facebook do now? Many.
Independent Committee on the Protection of Privacy of the Board. There will be a new independent committee on privacy protection at the board level, "removing abso read from Facebook CEO, Mark Zuckerberg, on decisions affecting users' privacy. Committee members can not be dismissed by Zuckerberg, but only by an absolute majority of the board members.
In addition, Facebook will have to appoint privacy compliance officers, who must certify on a quarterly basis that Facebook complies with the program prescribed by the FTC and will be personally held civilly liable. criminally for any false statement. These compliance officers can only be hired and fired by the board's privacy committee and not by a Facebook officer, including Zuckerberg.
Personal liability to Mark. Mark Zuckerberg must also sign the FTC's quarterly confidentiality reports. He incurs potential personal liability for any false declaration or misrepresentation. (One of the questions that will arise is: To what extent must such misleading statements be "important" to engage liability?)
An independent evaluator, accountable to the FTC and the Protection Committee personal information of the board, will be asked to review the state of privacy of Facebook. program every two years – for 20 years. This assessment can not rely "primarily" on Facebook's declarations of compliance. It also appears that the evaluator and the FTC may use legal tools of civil discovery to obtain information to assess compliance during this biennial review process.
These rules also apply to Instagram and WhatsApp.
Review of new products and third-party surveillance. Facebook will also need to conduct a compliance audit of "each product, service, or practice, new or changed, before it is implemented, and document its user privacy decisions." And when confidentiality events that compromise the data of more than 500 users occur, Facebook must document them and submit them to the FTC and its Privacy Assessor within 30 days.
New additional requirements:
Facebook must exercise increased scrutiny over third-party applications, including ending failed developers. to certify that they respect the rules of the Facebook platform or do not justify their need for specific user data; Facebook is prohibited from using obtained phone numbers to allow the use of a security feature (eg, two-factor authentication) for advertising; highly visible notice of its use of facial recognition technology and obtain the explicit express consent of the user before any use that exceeds ior disclosures to users; Facebook must establish, implement and maintain a comprehensive data security program; Facebook needs to encrypt users' passwords and scan them regularly to detect if passwords are stored in plain text; and Facebook is prohibited from requesting e-mail passwords from other services when consumers subscribe to its services.
Speaking to third parties, Facebook today acknowledged that even though sharing Facebook-friends data was banned last year, some partners still had access to it. bug in the code base of Facebook. Microsoft and Sony have been able to continue to access the data of their Facebook friends, but this has now been corrected according to the company.
Zuckerberg says he supports the new rules. Mark Zuckerberg issued a statement in which he said: "I think that they will reduce the number of mistakes we make and help us to strengthen the protection of privacy for all." best services we provide. I am determined to do this well and put in place the best private social platform for our community. "
Why We Should Care About It Say what you want about the $ 5 billion penalty, but the new privacy regime that Facebook needs to compliance is very strict, which is most clearly the personal responsibility of Mark Zuckerberg and the company's new privacy officers for false statements or misrepresentations to the FTC. third-party applications are designed to deter and prevent the collection of Cambridge Analytica data.
Certain provisions of the new rules could also affect Facebook's access to data for advertising purposes, including announces the use of third-party phone numbers and passwords.
About the Author
Greg Sterling is a contributing editor on Search Engine Land. He wrote a personal blog, Screenwerk, about the connection between digital media and consumer behavior in the real world. He is also Vice President of Strategy and Knowledge for the Local Search Association. Follow him on Twitter or find him on Google+.