Facebook must pay a record-breaking $5 billion fine as part of a settlement with the Federal Trade Commission, by far the largest penalty ever imposed on a company for violating consumers’ privacy rights.
The deal comes amid growing calls in Washington for greater transparency and accountability for technology companies, whose power over social movements as well as personal information has increasingly come to be seen as dangerous by politicians, users, and even one of Facebook’s co-founders.
Facebook agreed to the deal following years of damaging admissions about the company’s privacy practices, such as the inadvertent exposure of up to 87 million users’ information to the political analysis firm Cambridge Analytica.
“We’ve agreed to pay a historic fine, but even more important, we’re going to make some major structural changes to how we build products and run this company, Zuckerberg posted on Facebook.
The FTC settlement — which also covers Facebook subsidiaries Instagram and WhatsApp — could set the tone for a wave of further action by policymakers worldwide as they seek to rein in the most powerful players in Silicon Valley.
Facebook also agreed to accept greater oversight of its privacy practices. Under the FTC deal, Facebook’s board will form a privacy oversight committee made up of independent members who cannot be fired by Zuckerberg alone.
That committee will be charged with appointing still other officials who must periodically and truthfully certify that Facebook is complying with the FTC agreement, or risk being held personally liable. Zuckerberg will also be required to make those same certifications, the FTC said.
The FTC also required that regular third-party assessments of Facebook’s privacy practices not rely on company materials but instead on the auditor’s own fact-finding.
The FTC voted 3-2 to approve the settlement, with the agency’s two Democrats dissenting because they believed the measure did not go far enough. In dissents, Commissioners Rohit Chopra and Rebecca Slaughter said they believed the fines were far too small, and that the FTC wrongfully gave Zuckerberg and Facebook COO Sheryl Sandberg a pass.
Facebook must also conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy, per the order.
While the designated compliance officers must submit a quarterly privacy review report — sharing this with Facebook’s CEO and the independent assessor, as well as with the FTC upon its request.
The FTC notes a laundry list of what it couches as “significant new privacy requirements” that it’s also imposing on the company — writing that:
- Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data
- Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising
- Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users
- Facebook must establish, implement, and maintain a comprehensive data security program
- Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext
- Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
In another response, Zuckerberg has posted a comment about the settlement on his Facebook page — where he says “we’re going to make some major structural changes to how we build products and run this company”.
Also, he discussed these changes at a company-wide event this morning. Here is part of his remarks: FTC Agreement Brings Rigorous New Standards for Protecting Your Privacy
Do you feel your data is safe with Facebook?