Facebook and the FTC Reach $5 Billion Settlement Over Privacy

It also imposes new requirements and accountability

Facebook CEO Mark Zuckerberg speaking onstage
The FTC wants to prevent CEO Mark Zuckerberg from having 'unfettered control' over the company’s decisions about user privacy.
Justin Sullivan — Getty Images

Facebook and the Federal Trade Commission have reached a settlement in a privacy case that will require the social network to pay a record $5 billion fine while also placing additional restrictions on the company to ensure it secures users’ information.

The settlement, announced today by the FTC and Facebook, includes a fine nearly 20 times larger than the previous record for a privacy violation. It’s the culmination of a yearlong investigation by the FTC, which alleged Facebook took “inadequate steps to deal with apps that it knew were violating its platform policies.”

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” FTC Chairman Joe Simons said in a statement. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously and will enforce FTC orders to the fullest extent of the law.”

The FTC is requiring Facebook to put in place a number of new policies to prevent further privacy problems. For example, the commission is ordering Facebook to create an independent privacy committee of Facebook’s board of directors. The FTC says that will prevent CEO Mark Zuckerberg from having “unfettered control” over the company’s decisions about user privacy. An independent nominating committee will appoint members of the committee, and only a supermajority of Facebook’s board of directors can fire them.

Facebook will have to designate compliance officers to be approved by the privacy committee instead of Facebook. The compliance officers’ tasks include submitting quarterly certifications assuring the company is compliant with its privacy policies. The order also places new responsibilities on Zuckerberg, who will have to sign off on the certifications as well. Any false certifications could result in individual civil or criminal penalties.

The FTC will also add additional privacy requirements including the following:

  • Creating oversight over third-party apps, which will include terminating developers that don’t comply with Facebook’s privacy policies
  • Banning the use of telephone numbers used for security for advertising
  • Providing “clear and conspicuous notice” of the use of facial-recognition technology and requiring consent from users before using it for anything that “materially exceeds its prior disclosures”
  • Establishing, implementing and maintaining a “comprehensive data security program”
  • Encrypting user passwords and regularly scanning to detect whether any were stored in plaintext
  • Banning Facebook from asking for email passwords when they sign up for the social network’s services

Colin Stretch, Facebook’s vice president and general counsel, said in a statement about the settlement that the agreement will “require a fundamental shift” in the company’s approach to privacy. (As part of the investigation, Stretch said Facebook discovered “shortcomings” in its system earlier this month that allowed some partners to continue accessing Facebook data.)

“The accountability required by this agreement surpasses current U.S. law, and we hope will be a model for the industry,” Stretch wrote in a blog post. “It introduces more stringent processes to identify privacy risks, more documentation of those risks and more sweeping measures to ensure that we meet these new requirements. Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working—and that we find and fix them when they are not.”

In a separate settlement announced today, the FTC said it reached an agreement with the former CEO of Cambridge Analytica (the now-defunct British analytics firm that sparked the initial investigation last year into Facebook’s privacy issues) and the app developer associated with the company. The developer, Aleksandr Kogan, had created the Facebook app called GSRApp—which users knew as “This is your digital life”—that asked users to answer personality questions. The answers were then used to train an algorithm for reaching U.S. voters with targeted ads.

Recommended articles