Federal regulators have fined Facebook $5 billion for privacy violations and are instituting new oversight and restrictions on its business. But they are only holding CEO Mark Zuckerberg personally responsible in a limited fashion.
The fine is the largest the Federal Trade Commission has levied on a tech company, though it won’t make much of a dent for a company that had nearly $56 billion in revenue last year.
As part of the agency’s settlement with Facebook, Zuckerberg will have to personally certify his company’s compliance with its privacy programs. The FTC said that false certifications could expose him to civil or criminal penalties.
Some experts had thought the FTC might fine Zuckerberg directly or seriously limit his authority over the company.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” Joe Simons, the chairman of the FTC, said in a statement. He added that the new restrictions are designed “to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
Facebook isn’t admitting any wrongdoing as part of the settlement.
Two of the five commissioners opposed the settlement and said they would have preferred litigation to seek tougher penalties.
Facebook’s top lawyer, Colin Stretch, said the company’s FTC settlement will lead to more rigorous management of user privacy — including more technical controls to better automate privacy safeguards.
Facebook will also pay a separate $100 million fine to the Securities and Exchange Commission to settle charges it made misleading disclosures about the risk of misuse of Facebook user data. Though Facebook isn’t officially admitting wrongdoing there either, Stretch said in a blog post that Facebook should have disclosed more to investors.
The FTC opened an investigation into Facebook last year after revelations that data mining firm Cambridge Analytica had gathered details on as many as 87 million Facebook users without their permission. The agency said Wednesday that following its yearlong investigation of the company, the Department of Justice will file a complaint alleging that Facebook “repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences.”
The SEC fine also pertains to Cambridge Analytica. The SEC said Facebook presented misuse of data as a hypothetical for two years even though it knew the third-party developer had actually misused user data. That misuse was discovered in 2015, according to the SEC, but Facebook did not correct its existing disclosure for more than two years. When the company disclosed the incident in March 2018 its stock price dropped.
Stretch said Facebook’s handling of the Cambridge Analytica affair was “a breach of trust between Facebook and the people who depend on us to protect their data.”
The FTC had been examining whether that massive breakdown violated a settlement that Facebook reached in 2012 after government regulators concluded the company repeatedly broke its privacy promises to users. That settlement had required that Facebook get user consent to share personal data in ways that override their privacy settings.
The FTC said Facebook’s deceptive disclosures about privacy settings allowed it to share users’ personal information with third-party apps that their friends downloaded but the users themselves did not give permissions to.
Privacy advocates have pushed for the FTC to limit how Facebook can track users — something that would likely cut into its advertising revenue, which relies on businesses being able to show users targeted ads based on their interests and behavior. The FTC did not specify such restrictions on Facebook.
Three Republican commissioners voted for the fine while two Democrats opposed it, a clear sign that the restrictions on Facebook don’t go as far as critics and privacy advocates had hoped. That wish list included specific punishment for Zuckerberg, strict limits on what data Facebook can collect and possibly even breaking off subsidiaries such as WhatsApp and Instagram.
“The proposed settlement does little to change the business model or practices that led to the recidivism,” wrote Commissioner Rohit Chopra in his dissenting statement. He noted that the settlement imposes “no meaningful changes” to the company’s structure or business model. “Nor does it include any restrictions on the company’s mass surveillance or advertising tactics,” he wrote.
The fine is well above the agency’s previous record for privacy violations — $22.5 million — which it dealt to Google in 2012 for bypassing the privacy controls in Apple’s Safari browser. There have been even larger fines against non-tech companies, including a $14.7 billion penalty against Volkswagen to settle allegations of cheating on emissions tests and deceiving customers. Equifax will pay at least $700 million to settle lawsuits and investigations over a 2017 data breach; the FTC was one of the parties. The money will likely go to the U.S. Treasury.
The FTC’s new 20-year settlement with Facebook establishes an “independent privacy committee” of Facebook directors. The committee’s members must be independent, will be appointed by an independent nominating committee and can only be fired by a “supermajority” of Facebook’s board of directors. The idea is to remove “unfettered control” by Zuckerberg, the FTC said.
Since the Cambridge Analytica debacle erupted more than a year ago, Facebook has vowed to do a better job corralling its users’ data. Nevertheless, other missteps have come up since then.
In December, for example, the Menlo Park, California, company acknowledged a software flaw had exposed the photos of about 7 million users to a wider audience than they had intended. It also acknowledged giving big tech companies like Amazon and Yahoo extensive access to users’ personal data, in effect exempting them from its usual privacy rules. And it collected call and text logs from phones running Google’s Android system in 2015.
Amid all that, Zuckerberg and his chief lieutenant, Sheryl Sandberg, apologized repeatedly. In March, Zuckerberg unveiled a new, “privacy-focused” vision for the social network that emphasizes private messaging and groups based on users’ interests.
But critics and privacy advocates are not convinced that either a fine or Facebook’s new model amounts to a substantial change.
If the company’s business practices don’t change as result of the FTC’s action, “there is no benefit to consumers,” said Marc Rotenberg, the president and executive director of the Washington-based nonprofit Electronic Privacy Information Center.
“The eight-year delay won’t be justified,” he said, referring to when Facebook first told the FTC it would do better.
The fine does not spell closure for Facebook, although the company’s investors — and executives — have been eager to put it behind them. Facebook is still under various investigations in the U.S. and elsewhere in the world, including the European Union, Germany and Canada. There are also broader antitrust concerns that have been the subject of congressional hearings, though it is too early to see if those will come to fruition.
Matt Stoller, a fellow at the Open Markets Institute, which has been critical of Facebook, said the company should admit wrongdoing.
“There should be structural solutions to force competition into the social networking market,” he added. “One of the angles for competition is privacy. They will compete to make a safer space to retain their user base.”
Ortutay reported from San Francisco. Associated Press writer Samantha Maldonado in San Francisco, Mae Anderson in New York, Matt O’Brien in Providence, Rhode Island, and Frank Bajak in Boston contributed to this story.