By Lecio De Paula, KnowBe4's Director of Data Privacy. On July 24, 2019, it was announced that Facebook, Inc. will pay a 5 billion dollar penalty to the U.S. Federal Trade Commission (FTC) and will be required to revamp their whole privacy and security program. Previously, the largest fine ever imposed by the FTC was $275 million for a privacy enforcement action.
Here are five quick facts about the settlement:
1. The $5 billion fine is approximately 50 times greater than the recent fine imposed by the U.K. Information Commissioner's Office to Marriott International under the European Union’s General Data Protection Regulation (GDPR).
2. Facebook must now be more transparent about its use of facial recognition and make sure they obtain the appropriate consent from users before doing so.
3. Facebook and its group companies (Whatsapp, Instagram) are required to conduct privacy and security review of every new product or service that is implemented (aka privacy-by-design).
4. This fine stems from Facebook’s violations of a 2012 settlement order with the FTC about making misrepresentations about how they handle personal data.5. Facebook is now required to establish, implement, and maintain a comprehensive security and privacy program.
As the largest privacy fine that has ever been imposed on any organization, this is sure to set a precedent for all future fines. The United States may not have a comprehensive privacy law that covers personal data such as the GDPR in the European Union, but this goes to show that the FTC means business when it comes to protecting user privacy in the United States. Privacy is being taken seriously and organizations need to start taking measures to comply with the privacy regulations as soon as possible.
One of the biggest takeaways from this fine is that it is important for organizations to be transparent with how they are using consumer data. Gone are the days of not taking a “privacy-by-design” approach with your products. As organizations innovate and create products they must do so with privacy at the top of their mind. It’s not an easy task, but the first step is to create a comprehensive privacy and security program.
Employees need to know how to protect and handle personal data. An easy way to make sure your employees are constantly thinking about privacy and security requirements is by stepping your employees through new-school security awareness training.