Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ColumnsCybersecurityManagementSectorsSecurity Leadership and ManagementSecurity Education & TrainingGovernment: Federal, State and Local

Education & Training

The FTC-Facebook Settlement: A Major Shift in U.S. Privacy Regulation

By Mindi Giftos, Ephraim Hintz
SEC1119-edu-Feat-slide1_900px
SEC1119-edu-slide2_900px
SEC1119-edu-Feat-slide1_900px
SEC1119-edu-slide2_900px
November 8, 2019

In 2010, Mark Zuckerberg famously stated that privacy was no longer a “social norm.” Today, the Facebook founder is no doubt viewing social norms around privacy a bit differently, as are U.S. regulators and consumers.

The Federal Trade Commission (FTC) recently confirmed that it agreed to a settlement with Facebook, stemming from the social media giant’s alleged privacy violations in the Cambridge Analytica scandal. In the settlement order, Facebook agreed to pay a record-breaking $5 billion penalty to resolve the FTC’s claims that Facebook violated a prior FTC order by repeatedly using deceptive disclosures and settings to undermine users’ privacy preferences and allowing Facebook to share users’ personal information without prior consent with third party applications.

 

Is The Fine Enough?

Some argue that the $5 billion fine is not significant enough, given Facebook’s revenue and value. However, the fine is unprecedented and objectively large by every measure. It is not only the largest penalty ever imposed on a company for violating consumers’ privacy rights, it is twenty times greater than the next largest privacy or data security penalty ever imposed on a company. And, given that Facebook had $56 billion in total revenue last year; the fine comprises nine to 10 percent of Facebook’s global revenue, which is more than double the recoverable amount possible under the European Union’s General Data Protection Regulation (GDPR). This is a massive fine, and it should be a wake-up call to any company that is not complying with a previous FTC order or is playing fast and loose with consumer data.

 

Privacy Restrictions

Unsurprisingly, the order also requires Facebook to implement more stringent privacy practices and procedures, including:

  1. Not misrepresent to its users what information Facebook is collecting, the information Facebook makes available to third parties and the steps a user has to take to verify the privacy of the user’s Facebook account.
  2. Disclose a privacy rights statement to its users and obtain affirmative express consent from its users prior to sharing or disclosing a user’s personal information with a third party.
  3. Delete a user’s personal information after a reasonable period of time, no longer than 30 days, from the time the user deletes the information from his or her account OR deactivates his or her account.
  4. Provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express consent prior to any use.
  5. Not disclose a user’s telephone number, without prior affirmative express consent, for the purpose of advertising in which the user disclosed his or her phone number for the specific purpose of adding security to his or her Facebook account.
  6. Obtain initial and biennial assessments of its privacy program from an independent third party professional.

 

Never Before Seen Governance Requirements

In addition to the massive fine, the even more groundbreaking provisions of the order are sweeping new privacy governance restrictions. These restrictions are designed to radically overhaul the way Facebook manages its privacy program, and to implement external oversight of Facebook’s privacy program. Unlike any other FTC order concerning data privacy, this order aims to create greater accountability at Facebook’s Board of Directors’ level.

Within 120 days of entry of the order, Facebook must create an independent privacy committee and adopt a committee charter. The privacy committee must only consist of independent members from Facebook’s Board of Directors, meaning that none of Facebook’s executives may serve on the committee. Further, an independent nominating committee will select the privacy committee’s members. The privacy committee will have oversight responsibilities for Facebook’s privacy program and will need to work in conjunction with an independent assessor, who will evaluate the effectiveness of Facebook’s privacy program through fact gathering and testing. The independent assessor must be a third party, not associated with Facebook.

Once established Facebook’s charter for its privacy committee must include the following qualifications and responsibilities:

  1. Hold at least four meetings each year.
  2. All members of the privacy committee must be independent directors.
  3. Have four briefings a year with Facebook’s Board of Directors and Chief Executive Officer Mark Zuckerberg concerning the state of Facebook’s privacy program, Facebook’s compliance with the order and Facebook’s material risks with privacy and confidentiality.
  4. Review independent assessor reports concerning Facebook’s privacy program.
  5. Once a year, the privacy committee must review Facebook’s privacy program and assess Facebook’s plans and procedures to mitigate privacy risks.
  6. Meet with an independent third-party assessor on a quarterly basis.

The order authorizes the FTC to use the Federal Rules of Civil Procedure’s discovery tools to monitor Facebook’s compliance with the order.

 

Personal Liability for CEO Mark Zuckerberg

The order also imposes accountability at the individual level. As CEO, Mark Zuckerberg now will have personal liability for any false certifications made to the FTC, independent assessor, or the privacy committee. Personal liability also extends to any compliance officer or director for false certifications made to the FTC.

 

Takeaways

While the U.S. does not yet have a federal comprehensive data privacy regulatory framework, the FTC is sending a clear message that its involvement in privacy enforcement actions will have teeth, particularly after their prior orders have been violated. The Facebook settlement includes governance requirements and imposes a penalty that far exceed the requirements and potential penalties possible under the GDPR, which are widely thought to be substantial.

All companies – including U.S. companies who may have previously believed privacy regulations were not as strict in the U.S. – should review their privacy practices and procedures to not only ensure they are operating in a reasonable manner, but to also catch up to the rapidly evolving data privacy and security landscape.

KEYWORDS: Facebook security GDPR personally identifiable information privacy concerns

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Giftos mindi

Mindi Giftos is a partner with Husch Blackwell LLP. She is a co-leader of the firm’s Internet of Things (IoT) and Data Privacy, Cybersecurity & Breach Response teams and is the office managing partner of the firm’s Madison, Wis. office.

Ephraim Hintz is an associate in Husch Blackwell LLP’s Denver’s office, who assists clients on emerging data privacy issues.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cybersecurity-laptop

    Maintaining Privacy and Cybersecurity Vigilance during the Coronavirus Outbreak

    See More
  • cyber-person

    A Seismic Shift: What California’s New Privacy Law Means for Cybersecurity

    See More
  • privacy-access-freepik

    Considering the consumer privacy conundrum in a data-filled digital world

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing