Acting Director Tom Pahl of the Federal Trade Commission ("FTC") Bureau of Consumer Protection confirmed that the FTC is investigating the data privacy practices of Facebook Inc. ("Facebook") following reports that Cambridge Analytica, a data collection and analytics firm, may have misappropriated the personal information of over 50 million users. Facebook previously settled charges with the FTC in 2011 for deceiving consumers regarding the privacy of their account information. The conditions of that settlement required Facebook to obtain approval from consumers before changing the way it shares their data, and to periodically review its privacy practices. The 2011 charges alleged that Facebook's practices violated Section 5(a) of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in or affecting commerce.
In addition, a group of 37 Attorneys General issued a letter to Facebook CEO Mark Zuckerberg requesting information on Facebook's policies and procedures for protecting users' personal information, as well as the social networking platform's plans for improving privacy controls and disclosures going forward. Watchdog group Common Cause filed complaints with the Department of Justice and the Federal Election Commission accusing Cambridge Analytica of violating federal election laws.
Earlier this month, Facebook stated that a University of Cambridge professor created an application that used Facebook's platform to gain access to consumers' information. At the time, Facebook argued that the situation was not a data breach because consumers knowingly gave away their consent when they signed up for the app. Since then, however, Facebook acknowledged that the professor violated Facebook's Platform Policies by failing to disclose that the data collected was passed onto data collections and analytics firms, Strategic Communication Laboratories and its affiliate corporation, Cambridge Analytica.
Commentary / Joseph V. Moreno
The biggest problem for Facebook is that this event was not a breach, which is a back-door break-in which its users may at least have understood and forgiven. The problem here is that the professor in question walked right through Facebook's front door using data harvesting techniques that Facebook fully permitted and later failed to address once it learned the data had been sold and misused. Further, since it was not technically a breach, Facebook likely had no obligation to inform its users of the event under the various data breach notification laws in effect in 48 states.
This case has the potential to lead to stricter state-by-state breach notification laws, to include possibly expanding the definition of "personal information," which is subject to protection. Lawmakers could also opt to impose a GDPR-like "informed consent" regime, in which a data processor must obtain a consumer's consent before certain information may be shared. If public outcry reaches Congress, it may even lead to a national data protection and breach notification standard, which is something that has been advocated by certain lawmakers and consumer privacy groups. In a recent interview on CNN, Facebook CEO Mark Zuckerberg stressed that he was open to Facebook being regulated, similar to rules that apply to television and print advertising. Knowing how complex and costly new compliance regimes can be, Mr. Zuckerberg should be careful what he wishes for.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
