FTC Opens Investigation into Privacy Practices of Facebook after Alleged Data Breach Involving 50 Million Users

Written By ESR News Blog Editor Thomas Ahearn

On March 26, 2018, the Federal Trade Commission (FTC) – the primary federal privacy and data security enforcement agency – confirmed it has opened an investigation into the privacy practices of Facebook, the world’s largest social media platform with 2.2 billion monthly active users, after a data breach that allowed Cambridge Analytica, a data analytics firm based in London, United Kingdom (UK), to allegedly have access to the personal information of approximately 50 million Facebook users.

“The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers. Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act,” Tom Pahl, Acting Director of the FTC Bureau of Consumer Protection, said in a statement regarding concerns about Facebook’s privacy practices.

“Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices,” Pahl said. The entire FTC statement is at www.ftc.gov/news-events/press-releases/2018/03/statement-acting-director-ftcs-bureau-consumer-protection.

In March 2018, The Guardian reported that Cambridge Analytica – described as a “data analytics firm that worked with (U.S. President) Donald Trump’s election team” and was “headed at the time by Trump’s key adviser Steve Bannon” – harvested the personal information of millions of Facebook user profiles without any authorization to build a software program that could target individual voters in the United States with personalized political advertisements to predict and influence choices in the election.

In a post on his Facebook page dated March 21, 2018, Facebook co-founder, Chairman, and Chief Executive Officer (CEO) Mark Zuckerberg told users the Menlo Park, California-based company had “a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” that he had worked “to understand exactly what happened and how to make sure this doesn’t happen again,” and also shared “an update on the Cambridge Analytica situation” that included a timeline of the events:

  • In 2007, we launched the Facebook Platform with the vision that more apps should be social. Your calendar should be able to show your friends’ birthdays, your maps should show where your friends live, and your address book should show their pictures. To do this, we enabled people to log into apps and share who their friends were and some information about them.
  • In 2013, a Cambridge University researcher named Aleksandr Kogan created a personality quiz app. It was installed by around 300,000 people who shared their data as well as some of their friends’ data. Given the way our platform worked at the time this meant Kogan was able to access tens of millions of their friends’ data.
  • In 2014, to prevent abusive apps, we announced that we were changing the entire platform to dramatically limit the data apps could access. Most importantly, apps like Kogan’s could no longer ask for data about a person’s friends unless their friends had also authorized the app. We also required developers to get approval from us before they could request any sensitive data from people. These actions would prevent any app like Kogan’s from being able to access so much data today.
  • In 2015, we learned from journalists at The Guardian that Kogan had shared data from his app with Cambridge Analytica. It is against our policies for developers to share data without people’s consent, so we immediately banned Kogan’s app from our platform, and demanded that Kogan and Cambridge Analytica formally certify that they had deleted all improperly acquired data. They provided these certifications.
  • Last week, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified. We immediately banned them from using any of our services. Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We’re also working with regulators as they investigate what happened. This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.

Cambridge Analytica responded to Facebook saying it “fully complies with Facebook’s terms of service and is currently in touch with Facebook following its recent statement that it had suspended the company from its platform, in order to resolve this matter as quickly as possible. Cambridge Analytica ‘s Commercial and Political divisions use social media platforms for outward marketing, delivering data-led and creative content to targeted audiences. They do not use or hold data from Facebook profiles .”

This is not the first time the FTC has investigated Facebook. In November 2011, Facebook agreed to settle FTC charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The settlement required Facebook to give consumers clear and prominent notice and to obtain express consent from consumers before their information is shared beyond the privacy settings they have established.

The FTC’s complaint against Facebook – part of an effort to make sure companies live up to the privacy promises they make to American consumers – charged that the claims Facebook made were unfair and deceptive, and violated federal law. “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” then FTC Chairman Jon Leibowitz said in a press release. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”

ESR has EU-U.S. and Swiss-U.S. Privacy Shield Certification

Employment Screening Resources (ESR) received notification from the International Trade Administration (ITA) that its annual re-submission for self-certification of adherence to the European Union (EU)-United States (U.S.) Privacy Shield Framework was effective on September 22, 2017. ESR was one of the first Privacy Shield adopters with an original certification date of August 12, 2016. ESR’s self-certification for Swiss-U.S. Privacy Shield Framework was effective on March 5, 2018.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2018 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.