The 20-year settlement is the result of a yearlong investigation by the FTC into Facebook’s alleged user privacy-related deceit in violation of a settlement reached between the two sides in 2012.
As part of the new accord, Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order.
The FTC said the 5-billion-dollar fine “is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.”
In addition to the massive fine, the FTC also mandates that Facebook create an independent privacy committee on its board of directors, “removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy,” the FTC said in the announcement.
Members of the committee, the FTC said, will be nominated by an independent nominating committee and can only be fired by a supermajority of the company’s board of directors.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” FTC Chairman Joe Simons said in a statement.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” Simons said. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
The FTC order will also tighten external oversight of Facebook by establishing an FTC-approved and independent third-party assessor, which will conduct biennial assessments and report to the new privacy committee quarterly. Facebook is required to notify the assessor and the FTC within 30 days of discovering that data of 500 or more users has been compromised, according to the FTC.
“The order prohibits the company from making any misrepresentations to the assessor,” the FTC said, adding that the order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order.
In a complaint accompanying the announcement, the FTC alleged that Facebook violated the agency’s 2012 settlement mandate “by deceiving its users when the company shared the data of users’ Facebook friends with third-party app developers, even when those friends had set more restrictive privacy settings,” among other wrongdoings that undermined users’ ability to control the privacy of their personal information.
Wednesday’s settlement was approved in a 3-2 vote by FTC commissioners. Three Republican commissioners — Simons, Noah Joshua Phillips and Christine Wilson voted to support the settlement. They hailed the resolution as a “historic victory for American consumers” in a joint statement issued following the announcement.
“The magnitude of this penalty resets the baseline for privacy cases – including for any future violation by Facebook – and sends a strong message to every company in America that collects consumers’ data: where the FTC has the authority to seek penalties, it will use that authority aggressively,” the trio said.
The two dissenting commissioners, Rohit Chopra and Rebecca Kelly Slaughter, are both Democrats.
“While it is difficult in this case to quantify the economic value of the violations to the company, there is good reason to believe $5 billion is a substantial undervaluation,” Slaughter said in a dissenting statement.
“The fact that Facebook’s stock value increased with the disclosure of a potential $5 billion penalty may suggest that the market believes that a penalty at this level makes a violation profitable,” she added. Facebook’s 2018 revenue neared 56 billion dollars.
In a separate release Wednesday, the Security and Exchange Commission (SEC) announced charges against Facebook for making misleading disclosures regarding the risk of misuse of Facebook user data. The company agreed to pay 100 million dollars to settle the charges, the SEC said.
The SEC said the now defunct Cambridge Analytica, a London-based advertising and data analytics company, “paid an academic researcher, through a company he controlled, to collect and transfer data from Facebook to create personality scores for approximately 30 million Americans.” Cambridge Analytica also used Facebook user information transferred to it to engage in political advertising activities, the SEC added.
“As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused,” said Stephanie Avakian, co-director of the SEC’s Enforcement Division. “Public companies must have procedures in place to make accurate disclosures about material business risks.”
The Cambridge Analytica-Facebook scandal, which emerged in early 2018, is also where the FTC probe stemmed.
In a separate announcement Wednesday, the FTC said it filed an administrative complaint against Cambridge Analytica, alleging that the bankrupt company’s former chief executive and an app developer employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.
Cambridge Analytica CEO Alexander Nix and app developer Aleksandr Kogan agreed to administrative orders restricting how they conduct any business in the future, and requiring them to delete or destroy any personal information they collected, the FTC said.