The Federal Trade Commission formally announced its $5 billion settlement with Facebook on Wednesday morning, which is the culmination of a years-long investigation into the Cambridge Analytica scandal and other privacy breaches.
In the agreement filed today, the FTC alleges that Facebook violated the law by failing to protect data from third parties, serving ads through the use of phone numbers provided for security, and lying to users that its facial recognition software was turned off by default. In order to settle those charges, Facebook will pay $5 billion — the second-largest fine ever levied by the FTC — and agree to a series of new restrictions on its business.
“The order allows Facebook to decide for itself how much information it can harvest”
Aside from the multibillion-dollar fine, Facebook will be required to conduct a privacy review of every new product or service that it develops, and these reviews must be submitted to the CEO and a third-party assessor every quarter. As it directly relates to Cambridge Analytica, Facebook will now be required to obtain purpose and use certifications from apps and third-party developers that want to use Facebook user data. However, there are no limits on what data access the company can authorize to those groups once the disclosure is made.
“The Order imposes a privacy regime that includes a new corporate governance structure, with corporate and individual accountability and more rigorous compliance monitoring,” the three supporting FTC commissioners wrote in a statement. “This approach dramatically increases the likelihood that Facebook will be compliant with the Order; if there are any deviations, they likely will be detected and remedied quickly.”
Facebook’s facial recognition software also comes under fire from the settlement. Under the new rules, the company will be required to obtain affirmative consent to create new facial recognition models, although it will not be required to destroy old models that may have been created without such consent.
“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company,” Facebook said in a blog post Wednesday morning. “It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.” Together with the agreement, Facebook will also pay $100 million to the Securities and Exchange Commission for failing to disclose the breach to investors.
According to reporting by The Washington Post, the FTC voted to approve the $5 billion penalty along party lines, with the Democratic minority members rejecting the settlement as insufficient. Democratic commissioners were particularly concerned that Mark Zuckerberg and other high-level executives were exempted from any personal liability for the violations, the Post found. But the agency abstained from pursuing even greater punishments like a substantially larger fine and finding CEO Mark Zuckerberg personally liable.
For the Democratic FTC commissioners, those meager penalties amounted to letting Facebook off the hook. “The settlement’s $5 billion penalty makes for a good headline,” FTC commissioner Rohit Chopra wrote in his dissent. “But the terms and conditions, including blanket immunity for Facebook executives and no real restraints on Facebook’s business model, do not fix the core problems that led to these violations.”
“The settlement imposes no meaningful changes to the company’s structure or financial incentives,” Chopra continued, “nor does it include any restrictions on the company’s mass surveillance or advertising tactics. Instead, the order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail.”
Another dissent from commissioner Rebecca Kelly Slaughter criticized the decision to release Mark Zuckerberg and other senior executives from any personal liability. “Rather than accepting this settlement, I believe we should have initiated litigation against Facebook and its CEO Mark Zuckerberg,” Slaughter wrote in her dissent. “When executives at large companies exercise control over decisions, including decisions to break the law, they should be held accountable the same way executives at smaller companies are.”
The commissioners met with members of Congress on Monday to lay out the details of the settlement, which was reportedly met with some disappointment from tech critics in Congress. According to Bloomberg Law, Sen. Richard Blumenthal (D-CT) called the deal a “pin-prick.” In response to the Post reporting, House antitrust leader Rep. David Cicilline (D-RI) referred to it as a “slap on the wrist” for a company with $55 billion in yearly revenue.
Those complaints have added momentum to the push to expand the FTC’s legal powers. After announcing a $700 million settlement with Equifax earlier this week, FTC chairman Joe Simons pleaded with Congress to empower the agency with a new civil penalty authority for first-time offenders. In that case, the Consumer Finance Protection Bureau (CFPB), which rarely seeks civil penalties, was able to slap the multimillion-dollar punishment on the company.
“Fortunately, other agencies were able to fill in the gap — this time,” Simons said, referring to CFPB’s Equifax action. “But under different circumstances, future breaches might not always be subject to civil penalties, which sends absolutely the wrong signal regarding deterrence.”