Facebook : Completing a Six-Month Independent Privacy Assessment

Two years ago, we reached anagreement with the Federal Trade Commissionthat brings a new level of oversight and accountability to our privacy program. It has already improved virtually every aspect of our approach to protecting people's privacy.

As part of the agreement, a qualified, independent Assessor approved by the FTC produces reports at regular intervals on the effectiveness of our implementation and maintenance of our privacy program. We recently submitted the Assessor's first report to the Federal Trade Commission, the U.S. Department of Justice and Facebook's independent Privacy Committee of our Board of Directors.

This report provides an initial six-month assessment of the progress we've made so far under the 20-year Order. But it's only the first step in a long process. The report presents an objective view of our program and is also required to "identify any gaps or weaknesses" that we can improve.

Our Progress

The report recognizes the high level of access and cooperation that we provided throughout the assessment process. It also calls out our extensive investments in privacy compliance and notes that the scope of our privacy program and the structure we've used to organize it are comprehensive. As a result, the key foundational elements necessary for an effective program are now in place even if some are still developing. A few of these include:

• Implementing a governance structure that incorporates an independent Privacy Committee of our Board. The Committee provides ongoing oversight of our Privacy Program and other privacy-related matters.
• Rebuilding our new privacy program from the ground up and in consultation with outside experts, based on the significant changes required by the Order.
• Standing up and continuing to grow a central privacy organization, supported by thousands of people working on privacy-related projects across the company.
• Developing many new teams and processes to assess and mitigate risk, including a dedicated Privacy Review function to evaluate potential privacy risks posed by new or modified products or data practices.

Opportunities for Improvement

As required by the FTC Order, the report also identifies key areas where we can improve our program. These include:

• Enhancing the Privacy organization's oversight role so it increases its effectiveness as an independent and standard-setting compliance function,
• Continuing to develop a compliance mindset focused on evaluating risks and controls while evolving existing processes and prioritizing compliance documentation and consistency, and
• Bolstering our privacy safeguards and controls using technology that builds on our core strengths in automation and analytics.

We agree with these focus areas and identified many of the same ones ourselves for further investment. The report's recommendations are consistent with what one would expect to see for a rapidly evolving, early stage program of this level of complexity.

We're committed to strengthening our privacy program and plan to make further improvements based on the recommendations we received. Our approach has required teams in every business unit to adjust their plans and take on additional work to build out our program. We've already put the foundation in place, and we look forward to delivering more progress in the months and years ahead.