Facebook could face FTC scrutiny, say privacy lawyers

Facebook could face FTC scrutiny, say privacy lawyers

Facebook could have violated its 2011 agreement with the Federal Trade Commission by sharing users’ personal information with other companies, observers have said.

On 18 December, the New York Times alleged that the social network had allowed Microsoft to view users’ Facebook friends without their consent, and had given Netflix, Spotify and Royal Bank of Canada access to users’ private messages.

The newspaper claimed that Facebook’s “data partnerships” with these companies were still active in 2017. Several companies including Apple and film reviewer Rotten Tomatoes have claimed they were not aware of their special access to users’ data.

Facebook responded in a website post the same day stating that none of the partnerships involved using information without users’ permission and that it has not violated its 2012 settlement with the FTC, which came after an investigation into Facebook making users’ information publicly available without their consent in 2011.

The FTC agreement required Facebook to give customers “clear and prominent notice” and obtain express consent before their information was shared beyond their established privacy settings. Facebook was to also obtain independent audits by a third party every two years certifying that it has an FTC-approved privacy programme in place. Those audits were carried out by PwC.

According to a response given to the New York Times, Facebook considered its partners to be “service providers”, and therefore exempt from the FTC’s requirements to secure users’ consent before sharing data.

Frances Goins, a partner at Ulmer & Berne in Cleveland, told GDR that Facebook could have violated the FTC’s consent agreement with regard to data integration partners’ use of personal data for marketing purposes as “although the FTC originally pursued Facebook for false statements and failure to disclose, the consent requirement is broader than that”.

She added that Facebook may have also violated the agreement with regards to the promised privacy programme. Goins also noted that the EU authorities are likely to take action against Facebook on the basis of these recent disclosures.

Scott Lyon, a partner at Michelman & Robinson in Orange County, told GDR that since the recent accusations are very similar to the FTC’s in 2011, the regulator is likely to scrutinise the standard of auditing: “Although Facebook will bear the brunt of any investigation, the FTC will be in good standing to ask what exactly PWC was auditing and why they were not alarmed by this activity.”

He added that the fallout will not be limited to Facebook, but also the other technology companies involved: “These companies did not behave like service providers, as Facebook tried to argue, but actually appeared to be involved in peer-level data agreements. The FTC will be scrutinising what information they had access to and what information they actually accessed, and I’m sure other social media platforms will take note, as many operate on a similar model.”

A spokesperson from Facebook told GDR that Facebook built their privacy programme as set out in the FTC settlement by “creating a privacy governance team, which is made up of our chief privacy officer and people who lead our policy, legal compliance, and security teams.”

They added that these teams ensure privacy risks for product launches and does not ultimately approve new features as “that responsibility rests with product and executive leadership.”

These revelations follow numerous data controversies for Facebook including the Cambridge Analytica scandal, for which Facebook are being sued by the Washington DC attorney general.

The FTC declined to comment.