Facebook and the FTC Reach $5 Billion Settlement Over Privacy

It also imposes new requirements and accountability

Facebook CEO Mark Zuckerberg speaking onstage
The FTC wants to prevent CEO Mark Zuckerberg from having 'unfettered control' over the company’s decisions about user privacy. Justin Sullivan — Getty Images
Headshot of Marty Swant

Facebook and the Federal Trade Commission have reached a settlement in a privacy case that will require the social network to pay a record $5 billion fine while also placing additional restrictions on the company to ensure it secures users’ information.

The settlement, announced today by the FTC and Facebook, includes a fine nearly 20 times larger than the previous record for a privacy violation. It’s the culmination of a yearlong investigation by the FTC, which alleged Facebook took “inadequate steps to deal with apps that it knew were violating its platform policies.”

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” FTC Chairman Joe Simons said in a statement. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously and will enforce FTC orders to the fullest extent of the law.”

The FTC is requiring Facebook to put in place a number of new policies to prevent further privacy problems. For example, the commission is ordering Facebook to create an independent privacy committee of Facebook’s board of directors. The FTC says that will prevent CEO Mark Zuckerberg from having “unfettered control” over the company’s decisions about user privacy. An independent nominating committee will appoint members of the committee, and only a supermajority of Facebook’s board of directors can fire them.

Facebook will have to designate compliance officers to be approved by the privacy committee instead of Facebook. The compliance officers’ tasks include submitting quarterly certifications assuring the company is compliant with its privacy policies. The order also places new responsibilities on Zuckerberg, who will have to sign off on the certifications as well. Any false certifications could result in individual civil or criminal penalties.

The FTC will also add additional privacy requirements including the following:

  • Creating oversight over third-party apps, which will include terminating developers that don’t comply with Facebook’s privacy policies
  • Banning the use of telephone numbers used for security for advertising
  • Providing “clear and conspicuous notice” of the use of facial-recognition technology and requiring consent from users before using it for anything that “materially exceeds its prior disclosures”
  • Establishing, implementing and maintaining a “comprehensive data security program”
  • Encrypting user passwords and regularly scanning to detect whether any were stored in plaintext
  • Banning Facebook from asking for email passwords when they sign up for the social network’s services

Colin Stretch, Facebook’s vice president and general counsel, said in a statement about the settlement that the agreement will “require a fundamental shift” in the company’s approach to privacy. (As part of the investigation, Stretch said Facebook discovered “shortcomings” in its system earlier this month that allowed some partners to continue accessing Facebook data.)

“The accountability required by this agreement surpasses current U.S. law, and we hope will be a model for the industry,” Stretch wrote in a blog post. “It introduces more stringent processes to identify privacy risks, more documentation of those risks and more sweeping measures to ensure that we meet these new requirements. Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working—and that we find and fix them when they are not.”

In a separate settlement announced today, the FTC said it reached an agreement with the former CEO of Cambridge Analytica (the now-defunct British analytics firm that sparked the initial investigation last year into Facebook’s privacy issues) and the app developer associated with the company. The developer, Aleksandr Kogan, had created the Facebook app called GSRApp—which users knew as “This is your digital life”—that asked users to answer personality questions. The answers were then used to train an algorithm for reaching U.S. voters with targeted ads.

However, the FTC said it is also suing Cambridge Analytica, alleging the company falsely claimed until at least November 2018 that it had participated in the EU-U.S. Privacy Shield framework, which allowed companies to transfer consumer data between the U.S. and EU. The FTC alleges the company let its certification lapse in May 2018 and also alleges that it failed to adhere to some requirements.

While the majority of the FTC voted for the settlements, two Democratic commissioners dissented. One of those was Rebecca Kelly Slaughter, who said she did not think the fine or the injunctive relief would be enough to keep Facebook accountable for how it treats user data.

“Rather than accepting this settlement, I believe we should have initiated litigation against Facebook and its CEO Mark Zuckerberg,” she wrote. “The Commission would better serve the public interest and be more likely to effectively change Facebook by fighting for the right outcome in a public court of law.”

The other dissenting commissioner was Rohit Chopra, who wrote in his 21-page dissent that the settlement “imposes no meaningful changes to [Facebook]’s structure or financial incentives, which led to these violations Facebook’s business model.”

“Nor does it include any restrictions on the company’s mass surveillance or advertising tactics,” he wrote. “Instead, the order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail.”

@martyswant martin.swant@adweek.com Marty Swant is a former technology staff writer for Adweek.