Facebook’s Data Privacy Practices Under FTC Investigation As a Result of Cambridge Analytica Controversy

Against the backdrop of the growing controversy surrounding allegations that Facebook allowed a company to mine the personal information of approximately 50 million Facebook users, the Federal Trade Commission (“FTC”) recently confirmed that it is investigating Facebook’s data privacy practices. The announcement follows the backlash arising from reports alleging that Cambridge Analytica, a political ad and consultancy firm, harvested massive amounts of data on roughly 50 million Facebook users without their knowledge or consent. Consequently, Facebook is facing an increasing number of investigations from Congress, state attorneys general, international data protection authorities, and now the FTC. In the March 26, 2018 statement, Acting Director of the FTC’s Bureau of Consumer Protection, Tom Pahl, explains, “the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.” While not unprecedented, the FTC’s statement is unusual in that the agency does not normally comment on non-public investigations.

The FTC statement indicates that the agency is investigating whether Facebook failed to honor its privacy promises, including compliance with its commitment under the Privacy Shield program for transferring personal data from the European Union to the US. The FTC is also investigating whether Facebook engaged in unfair acts that caused substantial injury to consumers in violation of the FTC Act. More specifically, the FTC investigation will focus on whether Facebook violated a 2011 consent order with the FTC to protect users’ privacy. The order requires Facebook to notify users and get express permission before sharing their personal information beyond the limits of their established privacy settings.

Facebook could face serious monetary penalties if the FTC finds that Facebook violated the consent order. Each violation of the 2011 agreement could result in a penalty of up to $41,484 per violation, which could add up quickly given the number of consumers involved. Moreover, if the FTC finds that Facebook acted deceptively and violated the FTC Act, the FTC could demand operational changes.

The matter may ultimately be resolved by President Trump’s FTC nominees currently awaiting Senate confirmation. In late February of 2018, the Senate Committee on Commerce, Science and Transportation voted to advance President Trump’s four nominees for seats on the FTC, but the nominees are still awaiting full Senate confirmation and it is unclear when this will occur. Because the Facebook investigation will likely take a substantial amount of time to complete and the two current commissioners plan to leave the agency when their successors are confirmed, the incoming commissioners will probably be the final arbiters of any decision involving whether to bring an action against Facebook or how to proceed.

The FTC’s announcement was released on the same day that a bipartisan group of state attorneys general sent a letter to Facebook CEO Mark Zuckerberg, demanding the company provide answers to a series of questions about its policies and practices for handling information about its users. The letter said the attorneys general are “profoundly concerned” regarding media reports that third parties were able to obtain Facebook user information without the users’ knowledge or consent. Meanwhile, congressional members in both parties have called for hearings and international data protection authorities are demanding to know more about the company’s privacy practices.

Ultimately, the FTC’s announcement, along with the letter from the state attorney generals, confirms that Facebook is likely to face serious investigations and possible legal actions in the future as well as multiple lawsuits that have already been filed. Businesses can learn some important lessons from this incident by ensuring they adequately protect the privacy and confidentiality of consumers’ information, particularly with respect to third party sharing. In order to help achieve this, businesses should establish and implement comprehensive privacy programs and procedures designed to address privacy risks.

If you have any questions regarding privacy or consumer issues, please contact one of the authors or any member of Arnall Golden Gregory’s Privacy and Consumer Regulatory Practice Group.

Kevin L. Coy is a Privacy Partner in Arnall Golden Gregory LLP’s Washington, D.C. office. Bradford J. Kelley was an Associate in Arnall Golden Gregory LLP’s Washington, D.C. office.