Facebook to Pay $5 Billion to FTC and $100 Million to SEC for Privacy and Disclosure Violations

By Richard Monter De Oca* and Priscila Bandeira**

On July 24, 2019, the U.S. Federal Trade Commission (“FTC”) and Facebook, Inc. announced a $5 billion settlement to resolve a privacy probe investigating whether Facebook had violated a prior FTC consent decree. On the same day, the U.S. Securities and Exchange Commission (“SEC”) announced charges against Facebook for inadequate and misleading disclosures to its shareholders. The SEC alleged that for two years, Facebook’s public disclosures failed to properly warned its consumer data protection and privacy issues. Facebook did not admit or deny the SEC’s allegations, but agreed to pay the $100 million fine.

The FTC announced in a statement that this is “one of the largest civil penalties in U.S. history.” Previously, the highest FTC fine had been $22.5 million against Google in 2012.

In 2011, Facebook entered into a settlement agreement with the FTC that required the company to obtain user consent before sharing their data and to improve its protection of consumer data. However, Facebook violated the agreement by carrying out a series of improper privacy practices. Specifically, the allegations that political data firm Cambridge Analytica acquired data from up to 87 million Facebook users through a quiz app. Facebook also allegedly misled its users about whether they had turned on a face recognition setting for the company’s “tagging” tool and exploded users’ phone numbers for targeted advertisement without their express consent. Also, Facebook suffered a large data breach shortly after the Cambridge Analytic Scandal, which exposed a least 50 million users. In the current settlement, Facebook executives had to sign the settlement under the penalty of perjury, risking civil and criminal liability if they fail to comply. It also required the creation of an independent panel of the Board to oversee Facebook’s privacy practices.

Facebook is also under investigation in Europe for alleged General Data Protection Regulation (“GDPR”) violations and could be facing further legal challenges after the California Consumer Privacy Act becomes effective on January 1, 2020.

Privacy regulating class actions and regulatory enforcement by the FTC, SEC, and other regulators involving data breached, cyberattacks, snd disclosures are increasing. It is critical for companies to establish or enhance their Privacy and Data Protection Compliance Program. MDO Partners encourages companies to conduct cybersecurity risk assessments, adopt robust privacy policies, enhance disclosure controls and adopt cyberattack investigation procedures to help mitigate the risk associated with a cyberattack and data breaches.

*Richard Montes De Oca is Managing Partner at MDO Partners, a boutique law firm that focuses on Corporate, International, and Real Estate Law, as well as Global Compliance and Business Ethics.

**Priscila Bandeira is a Global Compliance and Corporate Law Associate Counsel at MDO Partners, where she assists clients with corporate governance documentation, corporate formation, and international transactions. A graduate of the J.D./L.LM Joint Program at the University of Miami, Ms. Bandeira is also registered with the Brazilian Bar.