Facebook agrees to pay record $5 billion in privacy settlement with FTC

Facebook agrees to pay record $5 billion in privacy settlement with FTC

Facebook will pay $5 billion as part of a record settlement with the Federal Trade Commission (FTC) over charges of extensive privacy violations in its handling of the Cambridge Analytica scandal, the agency announced Wednesday.

The FTC found that Facebook deceived its users about their privacy protections while allowing third parties to harvest their data and that the company failed to establish a "reasonable privacy program that safeguarded the privacy, confidentiality, and integrity of user information" as required under a previous agreement with the agency.

The agency further alleged that Facebook illegally used phone numbers that users provided to protect their accounts' security for advertising purposes without their consent. And Facebook was also charged with deceiving its users about its facial recognition technology.


“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” FTC Chairman Joseph Simons said in a statement.

“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC," he added. "The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”

The fine is by far the highest the U.S. government has ever imposed on a technology company for privacy violations, but the FTC's Republican leadership was immediately put on the defensive against long-building criticism that the punishment was not severe enough for a company that has been besieged by privacy scandals.

Simons and his Republican colleagues stressed that the remedies in their order were restricted by the agency's limited legal authority codified in a century-old law. And they also reiterated their call for Congress to grant the commission more power and resources.

"The extent to which Facebook, or any other company, should be able to collect, use, aggregate, and monetize data, is something Congress should evaluate in its consideration of federal privacy legislation," the three GOP commissioners said in a joint statement.

The FTC charged that Facebook broke promises it made to the commission as part of a previous settlement in 2012 that required the company to better protect user data. Facebook stock was down around 2 percent Wednesday morning.

As part of the latest settlement, Facebook will have to create a privacy committee within its board of directors to review decisions within the company and provide more oversight of Chairman and CEO Mark ZuckerbergMark Elliot ZuckerbergBipartisan attorneys general urge Facebook to scrap planned Instagram for kids Hillicon Valley: Broadband companies funded fake net neutrality comments, investigation finds | Twitter rolls out tip feature | Google to adopt 'hybrid work week' Oversight Board achieving what government cannot MORE.

Facebook also agreed to pay the Securities and Exchange Commission $100 million to settle charges that it had misled investors about the material risks that its privacy practices posed.

Leaks about the settlement have been trickling out for months, prompting anger from the company's many critics on Capitol Hill who see the fine and conditions as a slap on the wrist for such a massive corporation. 

Lawmakers and privacy advocates for months have been setting high expectations for the settlement, which is being widely viewed as a test of the FTC's ability to police Silicon Valley as the industry faces heavy scrutiny in Washington. Facebook's critics wanted to see a bigger fine and liability for executives like Zuckerberg, who exercises practically unilateral control over the company's decisionmaking.

The FTC's Republican commissioners approved the deal in a 3-2 party-line vote, with their Democratic colleagues dissenting.

One of those Democrats, Commissioner Rohit Chopra, argued in his dissent that the settlement does not go far enough to rein in what he sees as rampant privacy abuses within the company. Those abuses, Chopra said, are a feature or Facebook’s business model of monetizing information about its users for advertising.

“Here, Facebook’s behavioral advertising business model is both the company’s profit engine and arguably the root cause of its widespread and systemic problems,” Chopra wrote. “Behavioral advertising generates profits by turning users into products, their activity into assets, their communities into targets, and social media platforms into weapons of mass manipulation. We need to recognize the dangerous threat that this business model can pose to our democracy and economy.”

Zuckerberg said in a post on Wednesday that the settlement would require Facebook to make "major structural changes" to how it does business.

"To implement this, we’ll have to review our technical systems to document any privacy risks and how we're handling them," he wrote. "Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we're taking to mitigate them. We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward."

The FTC took the rare step of announcing an investigation into Facebook last year after news broke that Cambridge Analytica, a British political consulting firm, had bought data on millions of Facebook users without their knowledge from the developer of a personality quiz app.

On Wednesday, the FTC also announced a settlement with the developer, Aleksandr Kogan, and former Cambridge Analytica CEO Alexander Nix requiring them to destroy any remaining user data that they acquired. The agency also filed a lawsuit against Cambridge Analytica, which had filed for bankruptcy last year and is now defunct.

Facebook's settlement will require that it submit to monitoring by a third-party auditor for the next 20 years — a condition that had been imposed in the 2012 consent agreement but expanded and renewed in the latest order. Facebook management will have to brief auditors on its privacy practices and compliance efforts every quarter.

And while Zuckerberg escaped liability for the Cambridge Analytica debacle, he will have to certify compliance with the order and risk criminal and civil liability for any violations or misrepresentations made to regulators.

The social media company — and its subsidiaries Instagram and WhatsApp — is also required to better oversee how third-party developers handle user data. And the settlement includes certain conditions imposed on Facebook's own business practices, like a prohibition on using phone numbers that users provide for two-factor authentication for advertising and a requirement that it obtain affirmative consent from users before using facial recognition technology.

Still, the partisan split on the commission over the settlement will open the door for criticism that the federal agency could have done more to take on Facebook. Many lawmakers expressed outrage over the deal, saying it will do nothing to deter Facebook or any other company from abusing user privacy.

“With its settlement with Facebook, the FTC not only fell short, it fell on its face," Sen. Ed MarkeyEd MarkeySenators ask airlines to offer cash refunds for unused flight credits Civilian Climate Corps can help stem rural-urban divide Senate votes to nix Trump rule limiting methane regulation MORE (D-Mass.) said in a statement. "Facebook is getting away with some of the most egregious corporate bad behavior in the age of the internet. This settlement is a partisan abdication of the FTC’s duty."

Commissioner Rebecca Slaughter, a Democrat, wrote in her dissent that, while historic, the $5 billion fine is insufficient and the FTC should have opted to take Facebook to court instead of settling.

"I understand the majority’s argument in favor of the terms of the settlement, and I recognize the settlement’s historic nature," Slaughter wrote. "But I do not share my colleagues’ confidence that the order or the monetary penalty will effectively deter Facebook from engaging in future law violations, and thus I fear it leaves the American public vulnerable."

--Updated at 1:19 p.m.