It’s a big day for the big blue app.
The Federal Trade Commission (FTC) formally announced Wednesday it will fine Facebook $5 billion over Cambridge Analytica-related privacy violations and install oversight procedures to prioritize privacy and ensure enforcement at the company.
In addition, a more than $100 million fine is expected from the Securities and Exchange Commission over inadequate privacy disclosures.
And Facebook reports its second quarter earnings tonight after the bell.
The hefty fine, which Facebook had been preparing for, is the largest ever imposed on a company for consumer privacy violations and the second largest ever levied by the FTC. It’s also the second largest penalty obtained by the Department of Justice and 20 times larger than any GDPR violation in the EU thus far.
“This is one of the largest civil penalties for any conduct in US history, alongside cases involving enormous environmental damage and massive financial fraud,” said FTC Chairman Joseph Simons during a press conference.
The investigation that led to the 20-year settlement order, which also covers Instagram and WhatsApp, was triggered by Facebook’s violation of a 2012 consent decree that prohibits the platform from misleading users about the security of their personal information. The FTC found that Facebook had disobeyed the decree in 2016 when it allowed data analytics company Cambridge Analytica to collect personal information from millions of Facebook users without their knowledge or consent.
The settlement also covers violations involving improper disclosures related to Facebook’s use of facial recognition technology and user phone numbers. Facebook told users it was collecting their digits for two-factor authentication without revealing that the data would also be used for ad targeting.
“Facebook betrayed the trust of its users and deceived them about their ability to control their personal information,” Simons said.
The FTC also announced a separate action against Cambridge Analytica, its former CEO Alexander Nix and independent researcher Aleksandr Kogan for using “false and deceptive tactics” to collect personal information from Facebook users.
Compliance first
The FTC is also putting new restrictions in place that govern how Facebook runs its business, requiring the company to engage in a costly restructure of its approach to privacy by creating five overlapping channels of compliance.
“We’re going to make some major structural changes to how we build products and run this company,” Facebook CEO Mark Zuckerberg wrote in a post on Facebook.
Facebook must launch an independent board committee, selected by an independent nominating committee, focused solely on privacy decisions. The committee will remove Zuckerberg’s unfettered control over the company’s privacy decisions.
“Management matters,” said Republican FTC commissioner Noah Phillips. “Governance matters, particularity in the context of privacy. When problems arise, more people will hear about them and take action.”
Facebook will also have to designate independent compliance officers, approved by the new board committee, to enforce privacy by submitting quarterly and annual certifications to the committee and the FTC. Only the board has jurisdiction to remove these officers, who must have a background in corporate compliance and familiarity with data protection practices.
Any false certifications made by Zuckerberg or Facebook executives will be subject to civil or criminal penalties.
“The big thing here is that they have to be truthful in their statements about what their privacy practices are,” Simons said.
In addition, the order requires Facebook and its family of apps to review every newly launched or modified product for privacy compliance and report when the data of 500 or more users has been compromised within 30 days – aka, a paper trail for anything that could be a privacy implication.
“Civil and criminal penalties have a way of focusing on the mind,” Republican commissioner Christine Wilson said.
The FTC is also imposing greater oversight of third-party app developers, prohibiting Facebook from using phone numbers for security features, requiring the creation clearer disclosures around Facebook’s use of facial recognition technology and mandating the establishment of a comprehensive data security program.
“This is a sea change in the way Facebook addresses consumer privacy with a ‘belt and suspenders’ approach to compliance,” Simons said.
But is it enough?
The FTC’s settlement was decided after a 3-2 vote on party lines, with Democratic commissioners Rohit Chopra and Rebecca Slaughter delivering dissenting opinions. Both argue that the FTC’s decision does little to change the actual business model and privacy practices at Facebook.
“The settlement imposes no meaningful changes to the company’s structure or financial incentives, which led to these violations,” Chopra said in a statement, “Nor does it include any restrictions on the company’s mass surveillance or advertising tactics. Instead, the order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail.”
Questions came up during the FTC’s morning press conference about Zuckerberg remaining the controlling shareholder at Facebook.
The FTC could have gone to court over the issue, but felt it got enough relief from the settlement in a much quicker time period.
“We would’ve had years of litigation and much less relief much later than we do now,” Simons said.
The Commission reiterated that the scope of the settlement is about Facebook’s violation of the 2012 consent decree, not to “vindicate every concern the world has about Facebook,” Republican commissioner Noah Philips said.
Simons noted that the FTC has limited jurisdiction over Facebook’s privacy practices and urged Congress to pass a federal privacy law to address such concerns.
“Would it have been nice to get more?” he said. “To get $10 billion instead of $5 billion? To get greater restrictions on how Facebook collects, uses and shares data? To put Zuckerberg’s name in the complaint caption? We did not have those options.”
If there’s one lesson big companies should learn from the FTC’s settlement, it’s this: “The price of privacy violations just went up,” Philips said. “Paying attention to privacy issues is something companies ought to consider whether to elevate to the board level.”