Three Steps to Prepare for a Record Privacy Fine Against Facebook

Is your privacy program prepared to defend its practices and roadmap for the future to senior executives if the FTC issues a record privacy fine to Facebook?

The day appears to be drawing nearer where you might need to do so. The Federal Trade Commission (FTC) has discussed a record fine against Facebook, according to a Washington Post article published on January 18, 2019. The article cites to “three people familiar with the deliberations but not authorized to speak on the record.”

The penalty would result from a violation of the 20 year consent decree entered into by Facebook in 2011 after allegations of violations of the unfair and deceptive trade practices clause in Section 5 for its privacy practices. The FTC has the authority to issue substantial fines for violations – some experts have speculated that they could issue a penalty over $1 billion for Cambridge Analytica.

Notwithstanding that fact, the Washington Post article is much more measured. It cites to a $22.5 million fine by the FTC against Google in 2012 as the biggest penalty for violating an FTC consent decree. As a result, the “much larger” fine has plenty of room to be under $100 million.

The Washington Post does say that it would be the first major punishment against Facebook since governments began investigating Cambridge Analytica. The United Kingdom Information Commissioner’s Office (ICO) previously declared it would issue a fine of 500,000 pounds, the maximum that it could levy for a violation of its privacy law before the General Data Protection Regulation (GDPR) went into effect. After May 25, the ICO could levy a fine as high as 4% of a company’s global annual revenue. In the case of Facebook with revenue of just over $40 billion, the potential fine would be approximately $1.6 billion.

However, there will still be some time before any FTC announcement. The story does not say that the FTC Commissioners agreed on a number, or that Facebook agreed to settle the matter. An enforcement action or settlement announcement is probably still at least months away. Depending on whether Facebook objects to the number and the statute of limitations, it could be even farther away.

Any settlement or enforcement could also be delayed because of the shutdown. Senators Edward Markey (D-Mass.) and Richard Blumenthal recently sent a letter to the FTC asking about the implications of the federal shutdown on its Facebook investigation and for consumers that suffer a data privacy invasion. Among the questions it had for the Commissioners was whether they had the resources in place to resume the investigation after the government reopens and whether they needed additional resources to mitigate the effects of the shutdown.

The report of an aggressive penalty comes amid calls early this week by consumer groups for a Data Protection Agency in the United States. The coalition of 16 agencies set forth a Framework for Comprehensive Privacy Protection and Digital Rights in the United States and sought creation of a dedicated DPA with resources, rulemaking authority and effective enforcement powers to take on privacy challenges. The New York Times also recently ran an article criticizing the agency’s handling of privacy enforcement and fines.

This leak could be an effort to demonstrate relevance amidst those criticisms in light of the fact that the FTC typically does not comment about its public investigations. This has been reiterated several times by FTC Chair Joseph Simons in Congressional testimony over the past six months. The Commission did make a rare exception to that policy last March when it released a written statement declaring that Facebook was under investigation for its privacy practices following the release of information about Cambridge Analytica. Senators have since asked for additional details, but there has been nothing released to the public.

As for what your team can do to prepare for the day of a major announcement, when senior executives are wondering if the FTC will turn to their organization next:

1. Have a firm understanding of your organization’s privacy risks. Data mapping is one of the first places that many organizations start in preparation for a new privacy law, and it is the right solution here as well. If your organization understands the risks, it can take proactive measures to mitigate them.

2. Proactively raise attention on privacy issues for the next few months. It will not seem like the organization is unprepared if the potential consequences of a privacy breach for the organization have been discussed in the months before the announcement. Big fines are coming from either the FTC or from the EU as a result of GDPR violations. It is best to prepare people for them mentally now.

3. Put in place a roadmap for the California Consumer Privacy Act (CCPA) and any remaining GDPR issues. A strong game plan is the best defense against compliance risks.

Other Blog Posts on Facebook:

Three Steps to Prepare for a Record Privacy Fine Against Facebook
Vendor Risk Management Lessons Coming From Facebook
Facebook, FTC Hearings Top Privacy News Yesterday
Vendor Risk Management at Facebook Back in Headlines
Facebook Updates on App Privacy Investigation, Bans myPersonality
Warning from Facebook Stock Drop: Take Privacy Seriously!
SEC Investigates Facebook for Non-Disclosure of Cambridge Analytica Risks
UK Privacy Office to Issue Maximum Fine for Facebook Over Cambridge Analytica
Senate Consumer Protection Subcommittee Further Explores Facebook Data Privacy
Facebook Answers Senate Questions on Privacy
Privacy Bills in Congress Get Boost From Facebook’s Latest Data Scandal
Germany Demands More From Facebook on GDPR
Overview of the Facebook-Cambridge Analytica Data Privacy Scandal

Contact Clarip for CCPA and GDPR Software

The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.

If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.

Still working on GDPR compliance? We understand! Our GDPR software tools offer a range of options from data mapping software, DPIA automation, and cookie management for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.