In testimony before the Senate Judiciary and Commerce, Science, and Transportation committees, Facebook chief executive Mark Zuckerberg said that his company did not notify the Federal Trade Commission about the initial user data leak that triggered its most recent privacy scandal.
“They considered it a ‘closed case’,”Zuckerberg said in response to a question over whether Facebook’s staff notified anyone at the FTC about the leak of consumer data in 2015 when Facebook claimed it learned about the data leak.
Cambridge Analytica’s access to Facebook user data, which it acquired improperly through a third party quiz app, is at the heart of Facebook’s latest scandal — and Facebook’s failure to notify the FTC of the data leak could have triggered the commission’s recent probe.
In a statement issued at the time about Facebook’s privacy controls, Tom Pahl, acting director of the Federal Trade Commission’s Bureau of Consumer Protection, said:
The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers. Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act. Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.
The terms of the initial settlement deal that Facebook inked with the SEC in 2011 barred the company from making misrepresentations about the privacy or security of consumers’ personal information; and required the company to get the express consent before changing privacy preferences.
The agreement also included the following commitment from Facebook:
that it “establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.”