ATTORNEY: MARC C. GORRIE
POMERANTZ MONITOR SEPTEMBER/OCTOBER 2019

In a press release issued July 24, 2019, the Securities and Exchange Commission announced charges against Facebook, Inc. as well as the settlement of the case; Facebook has agreed to pay $100 million to settle the SEC charges. This comes on the heels of Facebook’s settlement with the Federal Trade Commission (“FTC”), which provided for a record fine of approximately $5 billion arising from the same privacy violations.  

In 2012, the FTC charged Facebook with eight violations regarding privacy concerns, including making misleading or false claims regarding the company’s control of the personal data of their users. The FTC alleged that Face­book had inadequately disclosed its privacy settings that control the release of personal data to third party develop­ers, particularly in instances where one user designated its personal information as private, yet that information was still accessible via a friend who had not so designated it. This, the FTC alleged, dishonored users’ privacy choices; the company settled those 2012 charges by agreeing to an order prohibiting Facebook from making misrepresen­tations regarding the privacy and security of user data and requiring the establishment of a privacy program.  

One of the central allegations of the FTC complaint was that while Facebook announced it was no longer allowing third parties to collect users’ personal data, it continued to allow such collection to continue. Further, the FTC al­leged that Facebook had no screening process for the third parties that received this data.  

The SEC alleged that Facebook knowing misled investors regarding their treatment of purportedly confidential user data for over two years. While the company publicly stated their users’ data “may be improperly accessed, used or disclosed,” Facebook actually knew that a third-party de­veloper had done so. Merely identifying and disclosing potential risks to a company’s business rings hollow when those risk materialize and no disclosure is made.  

According to the SEC’s complaint, Facebook discovered in 2015 that user data for approximately 30 million Americans was collected and misused in connection with political ad­vertising activities. The complaint alleges that Cambridge Analytica, a data analytics company, paid an academic researcher to collect and transfer Facebook data to cre­ate personality profiles for American users, in violation of Facebook’s policy that prohibits developers, including researchers, from selling or transferring its users’ data. The data gathered and transferred to Cambridge Analytica included names, genders, birthdays, and locations, among other pieces of information. This discovery was confirmed to Facebook by those involved in 2016.  

It was during this period that Cambridge Analytica was hired by the Trump campaign to provide data analysis on the American electorate. Touting its cache of some 5,000 data points and personality profiles on every American, Cambridge Analytica assisted the campaign in identifying “persuadable” voters, though it maintains that this anal­ysis was done using data maintained by the Republican National Committee, not by Cambridge Analytica.  Until Facebook disclosed the incident in March of 2018, it continued to mislead investors in SEC filings and through news sources by depicting the risk of privacy violations as merely possible, although they had actually occurred, and by stating that it had found no evidence of wrongdoing, even though it had.  

Compounding the company’s shortcomings was the SEC’s contention that Facebook had “no specific policies or procedures in place to assess the results of their investigation for the purposes of making accurate disclosures in Facebook’s public filings.” Had Facebook had such mechanisms in place, the presentation of user data mis­use as a hypothetical risk, when in reality it had occurred, would have been prevented.  

The resolution of this enforcement action by the SEC continues the strong message the agency has been sending regarding the accuracy of public companies’ risk disclosures concerning data privacy and cyber security. This portends to be merely an early round in Facebook’s struggles to bring its business practices under control.