Sixteen months after the Cambridge Analytica scandal hit headlines, Facebook is finally going to have to pay up. On Wednesday, the Federal Trade Commission announced that it is slapping Facebook with a record-breaking $5 billion fine. It’s the largest fine for a privacy violation in U.S. history and one of the largest penalties ever imposed on a company by the U.S. government, period. The Chairman of the FTC, Joe Simmons, said in a statement that “this settlement represents an unprecedented victory for consumer privacy.”
The FTC began investigating Facebook after the public learned that the data of 87 million users had wrongfully landed in the hands of Cambridge Analytica, a politics analytics firm that worked for the Trump campaign in 2016.
Specifically, the FTC alleges that the company deceived users about their ability to control the privacy of the information that they shared on Facebook, including their lists of friends, religious affiliation, “likes,” work history, and other information. The FTC also says that Facebook misrepresented how its facial recognition technology, which was turned on by default with a setting called “Tag Suggestions,” was used on people’s personal photos. Further, Facebook is being charged with deceiving users who offered their phone numbers to the social media company in order to turn on a security feature. Facebook later used those phone numbers to target people with advertising.
On top of the $5 billion fine, the FTC also ordered that Facebook establish an “independent privacy committee” on the company’s board of directors. Doing so reduces CEO Mark Zuckerberg’s control over matters that concern the privacy of Facebook users. Additionally, compliance officers and Zuckerberg are now required to report quarterly to the FTC to demonstrate that the company is complying with its new privacy requirements. Failure to comply could lead to civil or criminal charges, the FTC says. The new privacy requirements also cover Facebook–owned WhatsApp and Instagram, and the FTC is further requiring that all new products from Facebook, WhatsApp, or Instagram submit to a privacy review before being made public. Facebook is also now required to encrypt all user passwords and scan its systems to ensure user passwords are stored securely, following an incident earlier this year when it was reported that hundreds of millions of Facebook user passwords were stored in searchable plain text on the company’s servers. The FTC is holding Facebook to these new oversight requirements for the next 20 years.
But under the terms of the settlement, Facebook does not have to admit any guilt for its transgressions, and the FTC does not require structural changes to the way the platform collects and monetizes user data. “It’s unfortunately pretty commonplace for large companies like Facebook to settle with the FTC without an admission of guilt,” Ashkan Soltani, former chief technologist of the Federal Trade Commission, said in an email. “One of the benefits is that it shields the firm from follow on actions by other regulators and plaintiffs’ firms seeking redress, while still allowing them to avoid a court battle.”
Perhaps most shockingly, the settlement between the FTC and Facebook specifically indemnifies Facebook, its executives, and its board of directors against “any and all claims … prior to June 12, 2019.” This, according to Soltani, is “really unusual,” and perhaps explains why Facebook was willing to settle with a $5 billion fine. “The fact that [Facebook] had so many other potential violations is not a compelling rationale to give them blanket immunity!” Justin Brookman, who is currently director of consumer privacy and technology for Consumer Reports and previously served as the policy director of the FTC’s Office of Technology Research and Investigation, tweeted. Such immunity essentially lets Facebook off the hook for anything that the FTC didn’t include in its current list of charges, including privacy incidents that may be found through future investigations into the company.
The FTC voted along party lines to approve the new privacy requirements, with the three Republicans voting in favor and two Democrats voting against. In her dissenting statement, Commissioner Rebecca Slaughter holds that the information gleaned from the FTC investigation “more than justified initiating litigation against Facebook and Mr. Zuckerberg,” which she suggested could be referred to the Department of Justice to pursue. Litigation, according to Slaughter, could have been used to compel Facebook to hand over more documents in a discovery process and lead to additional information that would influence a court’s decision.
Facebook’s settlement demonstrates why we need federal privacy protections for consumers across the technology industry. Indeed, it may do very little to prevent Facebook from further violating user privacy in the future. The privacy committee that’s supposed to help shepherd oversight at Facebook will be approved by Facebook’s board of directors. Its members won’t be required to ensure that benchmarks on improving user privacy are met—instead, according to the dissent of Commissioner Rohit Chopra, “they are charged only with ensuring that paperwork has been completed.”
But Facebook is still facing government scrutiny. On Tuesday, the Department of Justice announced its officially opening an probe into how large online platforms, like Facebook, Google, Apple, and Amazon, may be abusing their market power to shut down competition.