Two recent class action settlements highlighted just how seriously companies should take their duty to protect users’ information. The cost of not doing so is astronomical. These settlements also speak to the rare calculus of the value of a user’s private information.
Meta, the parent of Facebook just agreed to a $725 million settlement while Epic Games, the parent company of the online game Fortnite, found itself settling a class-action suit for $26.5 million settlement. That’s in addition to a separate Federal Trade Commission (FTC) action which had a $275 million penalty and an additional $245 million in refunds to customers.
Let’s look at what these entities did that resulted in their having to pay such hefty settlements.
The FTC alleged that Epic Games violated the Children’s Online Privacy Protection Act (COPPA) and “deployed design tricks, know as dark patterns, to dupe millions of players into making unintentional purchases.”
The FTC characterized the action as involving “record-breaking settlements.”
With respect to violating the COPPA the FTC tells us that “Epic will be required to adopt strong privacy default settings for children and teens, ensuring that voice and text communication are turned off by default.” The $245 million will be used to refund customers for “its dark patterns and billing practices.”
Interestingly, Epic Games admitted no wrongdoing in their class action settlement, yet added another $26.5 million dollar debit to their balance sheet and gave Fortnite players game credits.
“As our complaints noted, Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children,” said FTC Chair Lina M. Khan. “Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”
The Meta settlement deals with how Facebook allowed user data to be shared with Cambridge Analytica and that entities use of the data for political advertising. The $725 million is believed to be the largest settlement in a data privacy class action case.
Readers may remember Cambridge Analytica from the quiz app, “This is Your Digital Life,” which harvested personal data from 87 million Facebook users. This action was the impetus behind the original class action, which grew over time to include other instances of Facebook sharing user information with outside entities without obtaining user permission.
Meta told CNBC, “We pursued a settlement as it’s in the best interest of our community and shareholders. Over the last three years, we revamped our approach to privacy and implemented a comprehensive privacy program.”
Equally interesting, Meta/Facebook, also admitted no wrongdoing in their class action settlement yet agreed to pay $725 million. One should recall that the FTC took Meta/Facebook to task in 2019 when they extracted a $5 billion dollar settlement over the company’s privacy policies.
Instead of these hefty settlements after the fact, both entities could have invested a fraction of those costs into systems that protected the consumer and the consumer’s privacy. In both cases, those injured by the actions were users on whom Facebook/Meta and Epic Games rely upon for their existence. It doesn’t seem smart to bite (and rip off) the hand(s) that are feeding you. The takeaway for developers, DevOps teams and CISOs is that user data privacy is priceless. Companies should think ahead to the ramifications of the processes and systems they put in place and make decisions based on what is best for the user in the long term, versus what is best for the corporate till in the short term.
Cyberattacks are continuing to become more sophisticated even as defenders become more adept at thwarting existing threats.
Authors/Presenters: *Massimiliano Taverna and Kenneth G. Paterson* Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content,…
Our mission at Ontic is to keep people safe and make organizations stronger. We wake up every day thinking about…
Russia and Ukraine topped a list of cybercrime-producing nations, followed by China and the United States, with African nation Nigeria…
Company Controllers and Directors of Internal Audit are intimately familiar with the complexities and resource demands of SOX audits. While…
Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: “I’ve been…