Court approves $5 billion FTC settlement with social media company
On April 23, the U.S. District Court for the District of Columbia approved a $5 billion settlement between the FTC and a global social media company, resolving allegations that the company violated consumer protection laws by using deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC. The settlement, first announced last July (covered by InfoBytes here), requires the company to take a series of remedial steps, including (i) ceasing misrepresentations concerning its collection and disclosure of users’ personal information, as well as its privacy and security measures; (ii) clearly disclosing when it will share data with third parties and obtaining user express consent if the sharing goes beyond a user’s privacy setting restrictions; (iii) deleting or de-identifying a user’s personal information within a reasonable time frame if an account is closed; (iv) creating a more robust privacy program with safeguards applicable to third parties with access to a user’s personal information; (v) creating a new privacy committee and designating a dedicated corporate officer in charge of monitoring the effectiveness of the privacy program; (vi) alerting the FTC when more than 500 users’ personal information has been compromised; and (vii) undertaking reporting and recordkeeping obligations, and commissioning regular, independent privacy assessments. The order “resolves all consumer-protection claims known by the FTC prior to June 12, 2019, that [the company], its officers, and directors violated Section 5 of the FTC Act.” While the court acknowledged concerns raised by several amici opposing the settlement, the court concluded that the settlement and the proposed remedies were reasonable and in the public interest. On April 28, the FTC announced the formal approval of amendments to its 2012 privacy order to incorporate updated provisions included in the 2019 settlement.