Skip to content
Naked Security Naked Security

Facebook fined $11m for misleading users about how data will be used

They said Facebook emphasizes the service being free, not that it's making big bucks off users' data. They ordered the company to apologize.

Italy’s competition regulator announced on Friday that it’s fining Facebook €10m (USD $11m, £8.9m) for laying it on thick when it comes to the service being “free” to users but keeping quiet about how the company’s making money off their data.
The fines come out of an investigation the Italian Competition Authority (ICA) wrapped up on 29 November. Opened last April, it looked into alleged violations of the Consumer Code by Facebook Ireland Ltd. and its parent company, Facebook Inc.
Here’s what the ICA had to say about it:

Facebook emphasizes the free nature of the service but not the commercial objectives that underlie the provision of the social network service, thus inducing users into making a transactional decision that they would not have taken otherwise (i.e., to register in the social network and to continue using it). The information provided is in fact general and incomplete and does not adequately make a distinction between the use of data to personalize the service (in order to connect “consumer” users with each other) and the use of data to carry out advertising campaigns aimed at specific targets.

Four Consumer Code violations

Facebook violated four of the Consumer Code articles, the ICA concluded: by misleading consumers into “registering without adequately and immediately informing them during the creation of the account that the data they provide will be used for commercial purposes,” it’s violated articles 21 and 22.
The ICA also found that Facebook has violated articles 24 and 25 with “aggressive” business practices, as it “exerts undue influence on registered consumers,” it said.
Those users are hurt by Facebook’s failure to give them “express and prior consent,” leading to transmission of their data “unconsciously and automatically” to third-party websites and apps for commercial purposes, and vice versa.

The undue influence is caused by the pre-selection by Facebook of the broadest consent to data sharing. When users decide to limit their consent, they are faced with significant restrictions on the use of the social network and third-party websites/apps, which induce users to maintain the pre-selected choice.

Specifically, Facebook pre-selects the “Active Platform” function, which pre-sets the users’ ability to access websites and external apps using their accounts, thus enabling transmission of their data without users’ express consent, the ICA said.
Facebook regularly uses “opt-out” instead of “opt-in” in other data-sharing scenarios, the ICA said, including “whenever users access third-party websites/apps, including games, using their Facebook accounts.”

In this case also, users can in fact only deselect the pre-setting operated by Facebook, without being able to make a free, informed choice.

Besides the fines, the ICA has ordered Facebook to publish an apology on its site and on its app.

Facebook said in a statement that it’s thinking it over:

We are reviewing the Authority’s decision and hope to work with them to resolve their concerns. This year we made our terms and policies clearer to help people understand how we use data and how our business works. We also made our privacy settings easier to find and use, and we’re continuing to improve them. You own and control your personal information on Facebook.

This is the second fine that regulators have slapped on Facebook since the Cambridge Analytica data-sharing scandal, and it’s highly unlikely that it will be the last. In October, the UK’s data protection watchdog, the UK’s Information Commissioner’s Office (ICO), fined the company £500k (about $640k).
The Guardian reports that other regulators have been expressing interest in Facebook’s practices: Ireland, California, and the US Federal Trade Commission.
The Irish Data Protection Commission has opened a formal investigation into a data breach that Facebook discovered in September and which affected nearly 50m accounts. The Irish investigation could result in a fine of up to $1.63bn.
The Irish penalty probably won’t turn out all that stiff: the Guardian quoted Rowenna Fielding, a senior data protection lead at Protecture, who noted that the amount was “a ceiling, not a stipulation”.


Surely FB can start to be seen as repeat offender? Bang ’em with the $1.63bn Dublin! Ah, g’wan g’wan g’wan! :-))


The real question is: If the majority of people realized how fiscally valuable their personal data was, would they still give it away for “free?” I’ve always been of a mind that companies like Facebook and Google, who make billions of dollars every year from selling access to user data, aren’t fairly compensating their users with “free” services like email (I can get “free” email from a dozen other providers who don’t profit from the sale of my info). IMHO If anything their users, who generate the data that turns out to be so profitable, deserve a reasonable percentage of all profits.


I disagree with your assertion that those other email providers don’t profit from he sale of your info. Do you believe they are provisioning and supporting their servers out of pure altruism? Every for-profit company exists to sell a product. Any time you receive web services for “free” you are the product.


And Zuckerberg will have asked, “Will you be wanting cash or cheque, for that? Let me just see what I’ve got in my lunch money…”


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!