More on Compliance & Legal

FTC's $5 billion penalty for Facebook security lapses includes new health privacy restrictions

The fine is the largest ever imposed on any company for violating consumers' privacy, according to the FTC.

Jeff Lagasse, Associate Editor

Facebook will pay a record $5 billion penalty, and submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users' privacy, according to a notice posted last week by the Federal Trade Commission.

The penalty is to settle FTC charges that the company violated a 2012 order by deceiving users about their ability to control the privacy of their personal information, including protected health information.

The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers' privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide, according to the FTC. It is one of the largest penalties ever assessed by the U.S. government for any violation.

HIMSS20 Digital

Learn on-demand, earn credit, find products and solutions. Get Started >>


The settlement order also imposes new restrictions on Facebook's business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.

More than 185 million people in the U.S and Canada use Facebook on a daily basis. Facebook monetizes user information through targeted advertising, which generated most of the company's $55.8 billion in revenues in 2018. To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through its privacy settings.

Following a yearlong investigation by the FTC, the Department of Justice filed a complaint on behalf of the Commission alleging that Facebook repeatedly used deceptive disclosures and settings to undermine users' privacy preferences in violation of its 2012 order. These tactics allowed the company to share users' personal information with third-party apps that were downloaded by the user's Facebook friends. The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore didn't take the steps needed to opt out of sharing.


Facebook was accused back in February of misleading users in its Group platform about who can see their private information. A report, written by CareSet Systems CTO and hacktivist Fred Trotter and healthcare attorney David Harlow, contends Facebook did not disclose how much information could be visible to outsiders -- including health information.

The document claimed that even though the social media site actively encourages users to share private health information in numerous ways, Facebook's privacy and access control sets are inconsistently applied.

In addition, the report said Facebook allowed substantial patient health information to leak, and said that as a personal health record platform, it is in violation of the FTC Health Breach Notification rule.

In April, Facebook announced it would create a new type of community dubbed "health support groups." According to a STAT report, once a Facebook community is labeled as a health support group, users can purportedly ask administrators to post health-related questions on their behalf.

Users must make a request to join closed groups on Facebook, and only current members can see who else is in the group, a change that was made to the site's policies earlier this year.


To prevent Facebook from deceiving its users about privacy in the future, the FTC's new 20-year settlement order overhauls the way the company makes privacy decisions by boosting the transparency of decision-making, and holding Facebook accountable via overlapping channels of compliance.

The order creates greater accountability at the board of directors level. It establishes an independent privacy committee of Facebook's board of directors, removing unfettered control by Facebook CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.

Facebook will also be required to designate compliance officers who will be responsible for Facebook's privacy program; submit to a third party assessor's evaluations of the effectiveness of its privacy program, and improve any gaps; conduct a privacy review of every new and modified product; establish and maintain a comprehensive data security program; encrypt user passwords and regularly scan to detect whether any passwords are stored in plain text formats.

Twitter: @JELagasse

Email the writer: