FTC slaps Facebook with record $5 billion fine, orders privacy oversight

  • The Federal Trade Commission announces a settlement with Facebook over the company’s privacy policies.
  • The fine represents the largest ever imposed by the FTC against a tech company.
  • The FTC began probing Facebook in March 2018 following reports that political consulting firm Cambridge Analytica had improperly accessed the data of 87 million Facebook users.

The Federal Trade Commission approved a record $5 billion settlement Wednesday with Facebook over the company’s privacy policies.

Shares of Facebook were down slightly following the announcement, but turned positive in the afternoon. The stock was up less than half a percent, adding more than $2 billion to its market cap to bring it around $580 billion.

The fine is the largest ever imposed by the FTC against a tech company. The previous high was a 2012 $22.5 million fine against Google for its privacy practices.

The $5 billion fine against Facebook represents approximately 9% of the company’s 2018 revenue.

The 20-year settlement includes provisions that aim to create a level of independence from Facebook CEO Mark Zuckerberg’s decision-making.

It was approved along party lines in a 3-2 vote by the agency’s commissioners. The two dissenters, Democrats, said it didn’t go far enough.

The FTC started probing Facebook in March 2018 after reports that political consulting firm Cambridge Analytica had accessed the data of 87 million Facebook users without authorization. The agency was concerned that Facebook had violated the terms of a previous agreement, which required it to give users clear notifications when their data was being shared with third parties.

Separately, the Securities and Exchange Commission announced Wednesday it is charging Facebook with making misleading disclosures about the risk of misuse of user data. The SEC alleged Facebook described data misuse as hypothetical to investors when it was aware of real instances of misuse. Facebook agreed to pay $100 million to settle the charges, according to the SEC. On a call with reporters, the SEC’s deputy director of enforcement, Stephanie Avakian, said the $100 million figure represents the “highest penalty the SEC has ever assessed for this kind of disclosure failure.”

The FTC order mandates that Facebook create an independent privacy committee on its board of directors to remove “unfettered control” by Zuckerberg over user privacy decisions. The members will be nominated by an independent nominating committee and can only be fired by a two-thirds of voting shares, which would prevent Zuckerberg from controlling the vote with his share power.

Zuckerberg will also take on new responsibilities to ensure compliance with the order, according to the announcement. Zuckerberg was not questioned by the FTC as part of the probe, and that regulators were divided over whether to hold the executive more directly accountable.

At a press conference Wednesday morning, FTC Chairman Joe Simons said it was not necessary to question Zuckerberg to get a hold of the information it needed for the probe.

“We had a huge amount of material from them like emails documents, like millions of pages,” Simons said. “So we knew what the problems were, whether he was involved or not was a different thing. And so we knew what the violations were without having to do that.”

James Kohm, director of the FTC’s enforcement division, said, “Part of getting this tremendous result with the tools we had is we didn’t need to depose him but we could use that to get more protections for the public.”

“And in this case, we got a lot of relief that we couldn’t otherwise have obtained and that is in some small part due to not going further,” Kohm said.

In an interview with CNBC’s Ylan Mui, dissenting commissioner Rohit Chopra said the FTC did not investigate enough.

“I wanted to investigate further, really uncover what was on the executives’ and the directors’ minds, who was calling the shots, what was their motives,” said Chopra. “If we don’t even get those answers, how are we going to really know what really happened?”

But the order will require Zuckerberg and designated compliance officers to submit to quarterly certifications from the FTC to acknowledge that the company is in compliance with the order’s privacy program. Zuckerberg and the officers will also have to certify annually that the company is complying with the overall order, making them personally liable to tell the truth or face the potential for civil and criminal punishments. The compliance officers will be approved by the new board privacy committee and can only be removed by that committee, according to the release.

Outside of Facebook, an independent third-party assessor approved by the FTC will conduct biennial assessments and report to the new privacy committee quarterly. Facebook must notify the assessor within 30 days of discovering that data of 500 or more users has been compromised, according to the release.

In a statement, majority voters Simons and fellow Republican Commissioners Noah Joshua Phillips and Christine S. Wilson heralded the record-breaking fine as a “historic victory for American consumers.”

“The magnitude of this penalty resets the baseline for privacy cases — including for any future violation by Facebook — and sends a strong message to every company in America that collects consumers’ data: where the FTC has the authority to seek penalties, it will use that authority aggressively,” they wrote in a statement accompanying the announcement.

The two dissenting commissioners, Democrats Chopra and Rebecca Kelly Slaughter, disagreed with this assessment.

“While it is difficult in this case to quantify the economic value of the violations to the company, there is good reason to believe $5 billion is a substantial undervaluation,” Slaughter wrote in a dissenting statement. “The fact that Facebook’s stock value increased with the disclosure of a potential $5 billion penalty may suggest that the market believes that a penalty at this level makes a violation profitable.”

They also took issue with the lack of personal accountability for Facebook’s chief executive.

“I would have preferred to name Mr. Zuckerberg in the complaint and in the order,” Slaughter wrote. “I disagree with the decision to omit him now, and I strenuously object to the choice to release him and all other executives from any potential liability for their roles to date.”

The majority voters said the settlement includes more concessions than what they would expect to receive from a court battleand allows changes to be implemented immediately.

“If the FTC had litigated this case, it is highly unlikely that any judge would have imposed a civil penalty even remotely close to this one,” they wrote. The commissioners also said they would be unlikely to secure the structural changes imposed by the settlement order through litigation since they said they would not be able to allege and prove Facebook’s board structure is illegal.

“Even assuming the FTC would prevail in litigation, a court would not give the Commission carte blanche to reorganize Facebook’s governance structures and business operations as we deem fit,” the majority wrote. “Instead, the court would impose the relief. Such relief would be limited to injunctive relief to remedy the specific proven violations and to prevent similar or related violations from occurring in the future.”

Slaughter wrote that even if litigation would have been the riskier option in terms of ensuring specific concessions, it would have been beneficial for public transparency.

“If a hard-fought litigation against Facebook produced a result that fell short of public expectations, the public would have every incentive to demand that Congress take steps to address deficiencies in the law,” Slaughter wrote.

But Simons said at a press conference Wednesday morning that the FTC had few options under the current framework.

“Our authority in these types of cases is quite limited, which is why we have encouraged Congress to consider federal privacy legislation,” Simons said. “But for now, the only real world choice here was to take a historic settlement that provides an immediate and important protection to American consumers, or wait for years to get far less relief. To me, not really much of a choice at all.”

Chopra told CNBC’s Mui in an interview that the commission failed to use the tools it did have at its disposal effectively in this case.

“When it comes to repeat offenders we have big powers and that’s why when it comes to Facebook, we did have a lot of tools and I think we could have used them more aggressively,” Chopra said on CNBC. “But I’m not out there always begging for more authority. I want us to use the tools that we have and use them aggressively because this has to be a top concern for our entire economy.”

Chopra said the FTC’s actions against Cambridge Analytica compared to those against Facebook is an example of “disparate treatment” by the commission. The FTC announced Wednesday it is separately taking action against Cambridge Analytica and its former CEO Alexander Nix and app developer Aleksandr Kogan for their alleged use of “false and deceptive tactics to harvest personal information from millions of Facebook users,” according to the announcement. Nix and Kogan agreed to a settlement restricting their business conduct, the FTC said.

In a blog post by Facebook’s general counsel Colin Stretch said: “The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”

In the complaint accompanying the settlement, the government alleges that Facebook violated its 2012 settlement order with the agency by sharing data with third-party developers without explicit consent of some users. It alleges Facebook also misled tens of millions of users about their ability to control facial recognition technology on their accounts by turning the setting on by default.

The FTC also alleges Facebook violated the FTC Act’s prohibition against deceptive practices by failing to disclose it would use users’ phone numbers for advertising purposes when they were told it would enable a security feature called two-factor authentication. The new settlement order prohibits Facebook from using phone numbers obtained through security feature set-up to be used for advertising.

Despite the unprecedented size of the fine, Democrats and Republicans criticized it after news of the FTC’s approval leaked, saying that Facebook should be forced to make structural changes to curb its power.

“Given Facebook’s repeated privacy violations, it is clear that fundamental structural reforms are required,” Democratic Sen. Mark Warner said in a statement on July 12. “With the FTC either unable or unwilling to put in place reasonable guardrails to ensure that user privacy and data are protected, it’s time for Congress to act.”

Rep. David Cicilline, D-R.I., called the settlement “a slap on the wrist.”

“This fine is a fraction of Facebook’s annual revenue,” he said in a statement on July 12. “It won’t make them think twice about their responsibility to protect user data.”

Facebook had expected the settlement, taking a one-time charge of $3 billion in anticipation of the FTC fine in April in the company’s first-quarter results.

Correction: An earlier version had the wrong political party for Rep. David Cicilline. He is a Democrat.

WATCH: Here’s how to see which apps have access to your Facebook data — and cut them off


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments