After a year-long investigation into Facebook for its misuse of customers’ personal data, the Federal Trade Commission (FTC) filed its official order on July 24, 2019. The settlement comes on the heels of the two biggest fines submitted under the European Union’s (EU) General Data Protection Regulation (GDPR) and just two days after the official complaint was filed against Equifax in response to their 2017 data breach. While regulatory bodies begin to exercise their ability to levy large fines in response to privacy violations, the impact to organizations reaches far beyond the financial. Organizations must act now to prepare for further data privacy oversight, regulation, accountability and transparency requirements.
What you need to know
The FTC, together with the Department of Justice, settled with Facebook for a record breaking 5 billion dollars. Not only is this the largest fine in both FTC and the privacy world’s history, it also amounts to roughly 9 percent of Facebook’s 2018 total revenue. Under the GDPR, companies may be fined up to 4 percent, making this fine substantially larger than the world’s de-facto privacy standard stipulates.
While the fine is large by any standard, many believe the penalty should have been larger for a company of Facebook’s financial stature. Arguably more significant than the fine, as part of the settlement Facebook agreed to implement sweeping changes to its corporate governance structure. These changes firmly establish privacy as a top priority risk and initiative factored into and addressed at nearly every level of the company. The changes also take into account considerations through multiple, independent channels. Privacy is now a board-level requirement at Facebook and with this change, comes the following:
Along with the governance changes, there are several conditions related to sharing specific data, reporting incidents involving Covered Information, and the continued handling of facial recognition that must also be addressed.
Why this matters
During the press conference announcing the groundbreaking fine and the new mandates required by the settlement, the FTC Commissioner, Christine Wilson, also took the opportunity to advocate on behalf of privacy for the United States. Specifically, Commissioner Wilson renewed “the FTC’s bipartisan call to Congress to pass comprehensive privacy and data security legislation.”
If an organization does business in a regulated industry, such as healthcare or finance, or has a majority of their business in a privacy-forward jurisdiction, such as the EU, there are frameworks to build a privacy program. For organizations in less regulated spaces, the best approach may be to look to peers or, better yet, to an industry leader.
As Facebook moves forward with implementing / complying with this privacy mandate, other organizations should look to emulate this level of privacy oversight. While three different injections of independence may not always be necessary, the assessment and evaluation of professionals that possess the right knowledge and skill set will be. The key pillars of the mandated privacy program - conducting risk assessments, documenting safeguards and providing training to employees - can also be scaled to fit any organization’s needs. The requirements clearly laid out a drive toward one intent – to keep privacy at the forefront of an organization’s strategy, so that it can be addressed as an enterprise risk.
Even in the absence of a federal privacy law, states are moving forward with legislation to regulate businesses and protect their residents. Some, such as California, have created a fairly comprehensive law – the California Consumer Privacy Act (CCPA), while others are beginning with niche markets, such as Maine targeting internet service providers. An organization with a comprehensive and sustainable privacy program as its foundation will be more prepared and flexible in adjusting to state-by-state changes.
Steps to take now
Organizations should regard this settlement and its requirements as a bellwether of what’s to come and to assess the breadth and strength of their own programs. It will take time to see the overall impact from Facebook’s implementation, but the following steps can set an organization on the right path to stronger privacy governance.
For more information on this topic, or to learn how Baker Tilly specialists can help your organization to develop a sustainable privacy program at your organization, contact our team.
[1] means information from or about an individual consumer including, but not limited to: (a) a first or last name; (b) geolocation information sufficient to identify a street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging User identifier or a screen name; (d) a mobile or other telephone number; (e) photos and videos; (f) Internet Protocol (“IP”) address, User ID, or other persistent identifier that can be used to recognize a User over time and across different devices, websites or online services; (g) a Social Security number; (h) a driver’s license or other government issued identification number; (i) financial account number; (j) credit or debit information; (k) date of birth; (l) biometric information; (m) any information combined with any of (a) through (l) above; or (n) Nonpublic User Information