Highlights of the FTC and DOJ Facebook complaint and order 

Today the U.S. Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) announced a new complaint and a stipulated consent order against Facebook regarding its violation of its 2012 consent decree regarding its privacy and data practices, as well its violation of Section 5 of the FTC Act. While the $5 billion fine has received the most attention, it is the compliance requirements that are of particular note in the order, as well as the details in the complaint about how Facebook has handled facial recognition information and phone numbers. The FTC and DOJ based their complaint on a substantial trove of investigative materials acquired from Facebook that numbered in the “millions of pages.” [1] 

The Facebook stipulated order and complaint are noteworthy on many fronts. But the three things that stood out the most to us were: 

  1. The new requirement for Facebook to create a privacy board comprised of independent members of its board of directors. This new corporate structure is an important oversight structure. The CEO of Facebook will not be able to fire these individuals, and the new structure creates a flow of privacy controls at the highest levels of the company. 
  2. The consent order and complaint discussion of facial recognition data and phone numbers was unexpected, and of great interest. (More on this below)  
  3. The Department of Justice has been given a greater role than is typically seen in the monitoring and enforcement of the order. This means that it is not just the FTC that will be looking into what Facebook does with consumer data going forward. The additional oversight is far-reaching; the Department of Justice will have the same rights as have been given to the FTC to request and access relevant documents and to engage in compliance monitoring. 

More on facial recognition and phone numbers 

The inclusion of facial recognition information was perhaps the biggest surprise of the FTC and DOJ announcements. Facial recognition was discussed and included prominently in both the order and the complaint. During the joint press conference, FTC Chair Simons said: “We allege that Facebook misrepresented to certain users that they would have to turn on facial recognition technology, but for millions of users the technology was already on by default.” [2] The consent order requires Facebook to get consumers’ opt-in consent before it uses or shares facial recognition information (templates) in ways that exceed prior disclosures made to consumers. These are the first such requirements we’ve seen coming from the FTC, and they are welcome. 

The complaint was detailed in its descriptions of Facebook’s alleged facial recognition violations, and specifically alleged that approximately 60 million Facebook users were affected by violations regarding facial recognition data. “Users who still had the Tag Suggestions Setting after April 2018, however, did not have to “turn [ ] on” facial recognition, because—unless the user had previously opted out— facial recognition was turned on by default. Thus, the updated Data Policy, which emphasized the need for users to “turn [ ] on” facial recognition, was not accurate for the approximately 60 million users who were not migrated to the Face Recognition Setting, as facial-recognition technology was turned on by default for those users. If those users did not want the technology, they—contrary to the updated Data Policy—had to turn it off.” [3]

To put the 60 million number in context, that number is larger than the metropolitan areas of the largest cities in the world. Tokyo, for example, has about 38 million people. Delhi about 25 million. New York City metropolitan area has about 18 million people. 

Phone numbers that Facebook users had provided for security purposes formed another important part of the discussion. During the press conference, FTC Chair Simons stated that: “We also allege that Facebook violated the FTC Act when it told its users that they would collect phone numbers to enable a security feature. But they did not disclose that they also use that information for advertising purposes.” The complaint states: “In addition to its violations of the 2012 Order, Facebook also engaged in deceptive practices in violation of Section 5(a) of the FTC Act. Between November 2015 and March 2018, Facebook asked its users to provide personal information to take advantage of security measures on the Facebook website or mobile application, including a two-factor authentication measure that encouraged provision of users’ phone numbers. Facebook did not effectively disclose that such information would also be used for advertising.” 

The 2019 Facebook consent order stipulates that phone numbers that users have provided to Facebook for security purposes prior to the date of the order for second-factor authentication can no longer be used for advertising purposes. The Department of Justice correctly noted that this kind of repurposing was a serious breach of trust. Gus Eyler, Director of Department of Justice Consumer Protection Branch said in the joint press conference: “Facebook also deceived Americans about how it would use their gathered phone numbers and about when facial recognition technology was active on their Facebook accounts. These were all serious breaches of trust.” The consent order gives specific instructions about phone number use by Facebook: 

“IT IS FURTHER ORDERED that Respondent and its Representatives, in connection with any product or service, shall not use for the purpose of serving advertisements, or share with any Covered Third Party for such purpose, any telephone number that Respondent has identified through its source tagging system as being obtained from a User prior to the effective date of this Order for the specific purpose of enabling an account security feature designed to protect against unauthorized account access (i.e., two-factor authentication, password recovery, and login alerts). Nothing in Part IV will limit Respondent’s ability to use such telephone numbers if obtained separate and apart from a User enabling such account security feature and in a manner consistent with the requirements of this Order.” [4]

If a business requests a phone number for 2FA or another security purpose, consumers should be able to trust that the phone number they provide for security purposes will not be used for advertising purposes. This is privacy 101, and it is a positive step that the FTC and DOJ have made a clear stand on this issue. 

Looking at the broader picture, the FTC had only very narrow authority to take enforcement actions in this matter. During the press conference, the FTC explained why this was so, and noted that they went as far as they could with the tools they had. To do more, the commissioners said, the FTC needs more enforcement authority.

The starkness of the privacy abuses that came to light regarding facial recognition information and phone numbers provided a spotlight that much more needs to be done to protect consumers’ data on multiple levels. The FTC does need more enforcement authority. But we also need more tools to get the job done. This includes the ability to create clear and enforceable standards in privacy, and new privacy laws that provide clarity about what is acceptable and what is not, along with power to enforce against those data practices that cross the line. The new complaint filed against Facebook today gives sufficient details to compel all of us to make progress in as many ways as we can, in as many places as we can, as soon as possible. 

Related Documents

Notes

[1] Statement of FTC Chair Simons, FTC and DOJ joint press conference https://www.ftc.gov/news-events/audio-video/video/ftc-press-conference-facebook-settlement 

[2] Statement of FTC Chair Simons, FTC and DOJ joint press conference https://www.ftc.gov/news-events/audio-video/video/ftc-press-conference-facebook-settlement

[3] Complaint: US v. Facebook: https://www.justice.gov/opa/press-release/file/1186506/download 

[4] Stipulated Consent Order re: Facebook: https://www.justice.gov/opa/press-release/file/1186511/download