The Federal Trade Commission has issued a landmark $5 billion fine against Facebook.

Big picture takeaways:

• Much more detailed requirements for internal and external governance and oversight with extensive reporting requirements.
• Some requirements providing Facebook with flexibility on compliance (e.g. length of time to delete information; exceptions from the obligation to delete).
• Several requirements specifically listing the possibility for Facebook to ask for modification of the requirement to address relevant developments that affect compliance including, but not limited to, technological changes.

More detailed takeaways:

Representations

Do not misrepresent:

• how you collect, disclose or share information
• the extent to which a consumer can control the privacy of any personal information you maintain and the steps a consumer must take to implement such controls
• the extent to which you make or have made personal information accessible to third parties
• steps you take or have taken to verify the privacy or security protections that any third party provides
• the extent to which you make or have made personal information accessible to any third party following deletion or termination of a user’s account with you or during such time as a user’s account is deactivated or suspended
• the extent to which you are a member of, adhere to, comply with, are certified by, are endorsed by or otherwise participate in any EU-U.S./Swiss-U.S. Privacy Shield.

Just in Time Notices

If sharing personal information in a way that materially exceeds the privacy setting of the user:

• Clearly and conspicuously disclose (such as in a stand-alone disclosure or notice) to the User, separate and apart from any “privacy policy,” “data use policy,” “statement of rights and responsibilities” page or other similar document:
  • the categories of personal information that will be disclosed to such third parties
  • the identity or specific categories of such third parties, and
  • that such sharing exceeds the restrictions imposed by the privacy settings in effect for the user
  • obtain the user’s affirmative express consent

Deletion of information

Make information on servers under its control impossible to access by third parties within not more than 30 days from time such information was deleted by a user except as required by law or where necessary to protect the Facebook website or its users from fraud or illegal activity.

Delete or de-identify information on servers under its control within reasonable time not to exceed 120 days from the time a user deleted the information (or deleted the accounts), except:

• as required by law
• where necessary for the safety and security of respondent’s products, services, and users, including to prevent fraud or other malicious activity
• where stored solely for backup or disaster recovery purposes (subject to a retention period necessary to provide a reliable service)
• where technically infeasible given Facebook's existing systems

Information Security Program

Implement and maintain a comprehensive information security program that is designed to protect the security of personal information, containing safeguards appropriate to Facebook's size and complexity, the nature and scope of Facebook's activities and the sensitivity of the personal information.

This should include:

• Not asking for email passwords to other services when consumers sign up for its services.
• Encrypting user passwords and regularly scanning to detect whether any passwords are stored in plaintext.

Privacy Program

Within 180 days of the order shall establish and implement, and thereafter maintain a comprehensive privacy program that protects the privacy, confidentiality and integrity of the covered information collected, used or shared by Facebook. It needs to include at least:

(1) Documented risk assessment:

• Assess and document, at least once every 12 months, internal and external risks in each area of its operation to the privacy, confidentiality or integrity of personal information that could result in the unauthorized access, collection, use, destruction or disclosure of such information.
• Further assess and document internal and external risks as described above as they relate to a data breach incident, promptly following verification or confirmation of such an incident, not to exceed 30 days after the incident is verified or otherwise confirmed.

(2) Adequate safeguards:

• Design, implement, maintain and document safeguards that control for the material internal and external risks identified in the risk assessment. Each safeguard based on the volume and sensitivity of the personal information at risk and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, destruction or disclosure of the personal information.
• Include any known alternative procedures that would mitigate the identified risks to the privacy, confidentiality or integrity of the personal information, but which were not implemented and each reason such procedure(s) were not implemented.
• Assess, monitor, test, and modify the privacy program as necessary at least once every 12 months and promptly (not to exceed 30 days) after a data breach incident.
• Specific safeguards for third parties:
  • Require an annual self-certification by each third party that certifies: (a) its compliance with Facebook's terms; and (b) the purpose(s) or use(s) for each type of personal information to which it requests or continues to have access, and that each specified purpose or use complies with Facebook's terms.
  • Deny or terminate access to any type of personal information that the third party fails to certify or, if the third party fails to complete the annual self-certification, denying or terminating access to all personal information unless the third party cures such failure within a reasonable time, not to exceed 30 days.
  • Monitor third-party compliance with Facebook's terms through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every 12 months.
  • Enforce against any third party violations of Facebook's terms based solely on the severity, nature, and impact of the violation.
• Specific safeguards for new or modified products:
  • Conduct and document a privacy impact assessment.
  • For new or modified products posing a material risk, also produce a written report listing:
    • type of information to be collected, and how it will be used, retained, and shared
    • the notice provided to users about, and the mechanism(s), if any, by which users will consent to, the collection of their personal information and the purposes for which such information will be used, retained, or shared 
    • any risks to the privacy, confidentiality, or integrity of the personal information
    • the existing safeguards that would control for the identified risks to the privacy, confidentiality, and integrity of the personal information and whether any new safeguards would need to be implemented to control for such risks
    • any other known safeguards or other procedures that would mitigate the identified risks to the privacy, confidentiality and integrity of the personal information that were not implemented, such as minimizing the amount or type(s) of personal information that is collected, used and shared; and each reason that those alternates were not implemented.
• Don't use telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising.
• Provide clear and conspicuous notice, separate and apart from any “privacy policy” or “data policy,” of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users.

(3) Employee training

(4) Procedures adopted for implementing and monitoring the privacy program, including procedures used for evaluating and adjusting the privacy program.

Internal Governance Requirements

• Establish an independent privacy committee in its Board of Directors appointed by an independent nominating committee and fired only by a supermajority of the board of directors.
• Designate compliance officers responsible for the privacy program, one of whom will be the Chief Privacy Officer for product; to be appointed or removed only by the privacy committee. Required to issue quarterly reports to the committee, the board, and if asked, the FTC.
• Annual management review of the privacy program.

External Governance/Reporting:

• Submit to FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. False certification will subject them to individual civil and criminal penalties.
• Assess the privacy program after 180 days from the order and thereafter, every two years, by third-party independent assessor who can be approved or removed by the FTC. Assessment based on the assessor’s independent fact gathering, sampling and testing, and not on attestations by Facebook management. Independent assessor to report directly to the new privacy board committee on a quarterly basis.
• Document incidents when data of 500 or more users has been compromised and its efforts to address such an incident, and deliver this documentation to the commission and the assessor within 30 days of the company’s discovery of the incident.

Read the FTC press release

Read the full text of the order