Facebook, under a 20-year settlement with the Federal Trade Commission over privacy violations, will pay a record-breaking $5 billion fine and submit to new oversight by the commission.
The settlement promises to strengthen the obligations Facebook has to provide transparency to the FTC about its business practices — with requirements that are over and above what is required by U.S. law, according to the company. However, the FTC deal does not put anything in place that will fundamentally change how Facebook does business, including how it sells advertising or collects data on users.
The FTC deal with Facebook, announced Wednesday after months of negotiations, will impose what the commission claimed are “unprecedented new restrictions” on the social-media giant’s business practices related to user privacy. That includes requiring Facebook’s board to establish an independent privacy committee that will remove “unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy,” according to the FTC. Zuckerberg is barred from firing directors appointed to the privacy committee, who can only be removed by a supermajority of the Facebook board of directors.
Zuckerberg, in a Facebook post, spun the massive FTC fine and new restrictions as an example of the company’s commitment to doing a better job of handling users’ data and suggested Facebook is an industry leader in this area. “We have a responsibility to protect people’s privacy. We already work hard to live up to this responsibility, but now we’re going to set a completely new standard for our industry,” he wrote.
It’s the biggest fine ever levied by the FTC — and nearly 20 times more than the previous highest privacy-related penalty by a regulator anywhere in the world, according to the agency. The agreement settles FTC charges that the company violated a 2012 order by “deceiving users about their ability to control the privacy of their personal information.”
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” FTC Chairman Joe Simons said in a statement.
The $5 billion fine, which Facebook already told investors it was prepared to pay, is less than the company’s net profit ($5.43 billion) for the first quarter of 2019 alone. Shares of Facebook were down about 1% after the FTC settlement was announced. Facebook is scheduled to report Q2 earnings after market close Wednesday.
Word of the FTC’s approval of the $5 billion fine leaked out earlier this month. The large fine is designed “not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations,” according to Simons.
The official announcement comes as tech giants face a growing political backlash over their economic power. On Tuesday, the Justice Department announced a broad antitrust review of large internet platforms.
In addition to the violations of the FTC’s 2012 order, the commission alleges that Facebook violated the agency’s ban on deceptive practices when it told users it would collect their phone numbers to enable a security feature but failed to disclose that it also used those numbers for advertising purposes.
The FTC’s agreement with Facebook, in addition to establishing an independent privacy committee composed of Facebook board members, also requires the company to designate compliance officers who will be responsible for Facebook’s privacy program (and will be overseen by the board, not Zuckerberg or other employees).
Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated under the order, as well as an annual certification that the company is in overall compliance with the order. “Any false certification will subject them to individual civil and criminal penalties,” the FTC said.
The order also mandates an FTC-approved independent assessor to review Facebook’s privacy program twice yearly who will be required to report directly to the new privacy board committee on a quarterly basis.
Under the new FTC-imposed framework, Facebook also is on the hook to remediate “old products that don’t work the way they should” and to build new products to a higher standard, Facebook VP of product partnerships Ime Archibong wrote in a blog. In reviewing the dozen partners continue to access Facebook data, only two — Microsoft and Sony — were still accessing “limited types of friends data,” according to Archibong. “Based on our previous commitments, we are ending these partners’ access to friend data immediately. This was our mistake, and we are correcting it.”
The FTC commissioners voted 3-2 to approve the Facebook settlement — breaking along party lines, with the three Republicans giving it a thumbs up and the two Democrats dissenting, saying it didn’t have enough teeth.
The settlement “does little to change the business model or practices that led to the recidivism,” FTC commissioner Rohit Chopra, a Democrat, wrote in part in a dissenting statement. “The settlement imposes no meaningful changes to the company’s structure or financial incentives, which led to these violations. Nor does it include any restrictions on the company’s mass surveillance or advertising tactics. Instead, the order
allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail.”
Separately, Facebook will pay a $100 million fine to the Securities and Exchange Commission related to its failure to disclose to investors data abuse like the improper sharing of info on millions of Facebook users with Cambridge Analytica. “We share the SEC’s interest in ensuring that we are transparent with our investors about the material risks we face, and we have already updated our disclosures and controls in this area,” Facebook said.