Facebook agreed to pay a record $5 billion to resolve a U.S. investigation into years of privacy violations, a settlement that increases the board of directors’ responsibility for protecting users’ data while changing little about the company’s lucrative advertising business.
The agreement, announced Wednesday by the Federal Trade Commission, will for the first time end Chief Executive Officer Mark Zuckerberg’s final authority over privacy decisions, creating an independent privacy committee of directors on the company’s board, according to an FTC statement.
The accord will also require Facebook to keep a tighter leash on third-party apps, perform regular sweeps for unencrypted passwords and refrain from using telephone numbers obtained for security purposes for advertising. It also calls for the company to conduct privacy reviews of new offerings and submit to new privacy certifications and assessments.
The agreement, which was approved by the FTC’s Republican majority by a vote of 3-2, does little to alter Facebook’s structural data collection practices, which are at the heart of its business model. While the fine is steep, it’s far from devastating for Facebook, which reported sales of almost $56 billion in 2018. It had set aside $3 billion in anticipation of the fine.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” Chairman Joseph Simons said in a statement. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
While the fine is the largest ever imposed by the FTC for a privacy violation, it didn’t satisfy the agency’s two Democratic commissioners, Rebecca Kelly Slaughter and Rohit Chopra, who voted against it.
“When companies can violate the law, pay big penalties, and still turn a profit while keeping their business model intact, enforcement agencies cannot claim victory,” Chopra said in a statement. He said the settlement did little to empower the board to represent users rather than shareholders on privacy while releasing the company and executives from accountability for a broad array of potential misdeeds.
Slaughter said that given Facebook’s repeated violations, the FTC would have been more likely to change the company’s behavior by suing it and its CEO.
The deal is also unlikely to mollify critics in Congress and among privacy advocates who have called for accountability for Zuckerberg, fines that represent a greater share of the company’s revenue and the unwinding of Facebook’s acquisition of Instagram and WhatsApp.
The FTC probe stems from the March 2018 disclosure that Cambridge Analytica, a consulting firm hired by Donald Trump’s 2016 presidential campaign, improperly obtained data on tens of millions of Facebook users from a researcher who collected personal data through a third-party quiz app. The app not only collected its users’ data, but also information on their friends, affecting millions of consumers.
The Cambridge Analytica scandal dealt a blow to Facebook’s reputation at a time when the company was already under fire for allowing Russian agents to exploit its platform to try to influence the 2016 election. The company’s battered reputation caught up with it earlier this month, when lawmakers railed against Facebook’s plan to introduce a digital currency. Sherrod Brown of Ohio, the top Democrat on the Senate Banking Committee, called the company “dangerous.”
The FTC also announced separate settlements with the now-defunct political consulting firm, its former CEO Alexander Nix, and an app developer who worked with the company, Aleksandr Kogan.
The agency’s investigation went far beyond issues around Cambridge Analytica. The FTC alleged violations going back to 2012, the same year that Facebook finalized an earlier consent order over privacy lapses. Four months after that accord, the FTC said, Facebook removed a disclosure that information users shared with friends could get sucked up by the apps those friends used — while allowing the practice to continue.
Facebook also announced in 2014 that it would stop letting outside app developers collect data of users’ friends, according to the FTC. However, the company told developers they could continue the practice for a year if their apps were already on the platform — and failed to stop the sharing until mid-2018 or later. The company also often limited enforcement of its policies against third-party developers if they were making Facebook money, the FTC alleged.
Under the settlement, Facebook will have to report data compromises to the FTC if more than 500 users are affected, terminate apps that fail to certify their compliance with company policies and provide greater notice of its use of facial recognition. Facebook had misled users to think they could opt in to a facial recognition feature, even though it was turned on by default, the FTC said.
Compliance with the order will be managed by an independent committee on Facebook’s board of directors, which Zuckerberg will not appoint. Zuckerberg, and a designated compliance officer approved by the independent committee, must certify compliance both with the privacy program and the larger order. False certification will “subject them to individual civil and criminal penalties,” the FTC said.
Facebook spent months negotiating the settlement with the FTC, and any future potential violations would likely require similar deliberation and delay. That makes it a weaker burden on Facebook than Europe’s General Data Protection Regulation, which for small violations penalizes companies 10 million euros, or 2% of the violator’s worldwide annual revenue, whichever is higher.
While the new agreement removes a major burden weighing on the Menlo Park, California-based company, it is still grappling with investigations by other authorities in the U.S. and the European Union. European officials are pursuing multiple data-protection investigations, while the city of Washington, D.C., is suing the company over Cambridge Analytica, and the New York State attorney general, Letitia James, has announced that her office is looking into the company’s harvesting of some users’ email contacts.
In addition, a federal judge in California in May declined to dismiss lawsuits brought on behalf of tens of millions of users who blame the company for allowing their private information to be shared in the Cambridge Analytica scandal.
The FTC itself is also poised to continue scrutiny of Facebook. As part of a broad agreement with the Justice Department dividing oversight of four of the biggest tech companies, the agency will take responsibility for a potential antitrust investigation into the company. One area of focus is likely to be its acquisitions of Instagram and WhatsApp.
And the Justice Department’s antitrust division disclosed plans Tuesday to scrutinize tech platforms following mounting criticism across Washington that the companies have become too big and powerful. The department didn’t specify which firms it would look at but strongly suggested Facebook, Alphabet Inc.’s Google and Amazon.com Inc. were in the cross-hairs.
–With assistance from Sarah Frier.