Facebook will pay an unprecedented $5 billion penalty over privacy breaches

The Federal Trade Commission announced a $5 billion settlement with Facebook (FB) on Wednesday, resolving a sweeping investigation by regulators into how the company lost control over massive troves of personal data and mishandled its communications with users. It is the largest fine in FTC history — and yet still only about a month’s worth of revenue for Facebook.

The deal comes amid growing calls in Washington for greater transparency and accountability for technology companies, whose power over social movements as well as personal information has increasingly come to be seen as dangerous by politicians, users, and even one of Facebook’s co-founders.

Facebook agreed to the deal following years of damaging admissions about the company’s privacy practices, such as the inadvertent exposure of up to 87 million users’ information to the political analysis firm Cambridge Analytica.

The settlement resolves a formal complaint by the FTC alleging that Facebook “used deceptive disclosures and settings” that eroded user privacy, violating a prior agreement Facebook signed with the commission in 2012. Facebook also broke the law, the FTC alleged, by misusing phone numbers obtained for account security purposes to also target advertisements to its users. And the company allegedly deceived “tens of millions of users” by implying that a facial recognition feature on the service had not been enabled by default, when in fact it had.

“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” said Chairman Joseph Simons in a statement. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”

In a Facebook post published shortly after the FTC’s announcement Wednesday, company CEO Mark Zuckerberg said, “We’ve agreed to pay a historic fine, but even more important, we’re going to make some major structural changes to how we build products and run this company. We have a responsibility to protect people’s privacy. We already work hard to live up to this responsibility, but now we’re going to set a completely new standard for our industry.”

Separately Wednesday, the Securities and Exchange Commission announced that Facebook had agreed to pay $100 million to settle “charges… for making misleading disclosures regarding the risk of misuse of Facebook user data.”
Facebook’s stock was down slightly when the market opened Wednesday morning.

The FTC settlement — which also covers Facebook subsidiaries Instagram and WhatsApp — could set the tone for a wave of further action by policymakers worldwide as they seek to rein in the most powerful players in Silicon Valley.

The $5 billion fine is nearly 30 times the FTC’s largest-ever civil penalty to date — $168 million, which was levied on Dish Network (DISH) in 2017 — reflecting the tremendous scale of Facebook’s operations, as well as the enormity of its self-admitted mistakes.

In addition to the record civil penalty, Facebook also agreed to accept greater oversight of its privacy practices. Under the FTC deal, Facebook’s board will form a privacy oversight committee made up of independent members who cannot be fired by Zuckerberg alone. That committee will be charged with appointing still other officials who must periodically and truthfully certify that Facebook is complying with the FTC agreement, or risk being held personally liable. Zuckerberg will also be required to make those same certifications, the FTC said.

“False certifications would subject Mr. Zuckerberg and the [designated compliance officers] to personal liability, including civil and criminal penalties,” Simons said in a statement written jointly with the Commission’s two other Republican members, Christine Wilson and Noah Phillips.
The FTC also required that regular third-party assessments of Facebook’s privacy practices not rely on company materials but instead on the auditor’s own fact-finding.

The FTC voted 3-2 to approve the settlement, with the agency’s two Democrats dissenting because they believed the measure did not go far enough. In dissents, Commissioners Rohit Chopra and Rebecca Slaughter said they believed the fines were far too small, and that the FTC wrongfully gave Zuckerberg and Facebook COO Sheryl Sandberg a pass.

“Failing to hold them accountable only encourages other officers to be similarly neglectful in discharging their legal obligations,” wrote Chopra. “In my view, it is appropriate to charge officers and directors personally when there is reason to believe that they have meaningfully participated in unlawful conduct, or negligently turned a blind eye toward their subordinates doing the same.”

Other prominent tech critics, including Democratic Sen. Richard Blumenthal of Connecticut and Missouri Republican Sen. Josh Hawley, have said a $5 billion fine would be “a bargain” for Facebook. In an earnings report earlier this year, Facebook said it was setting aside $3 billion to help cover expenses related to the expected penalty. It reported quarterly revenues of $15 billion at the time and its stock rose after it announced the charge, signaling investors were relieved by the probable outcome.

Facebook initially offered to pay $0 to resolve the Federal Trade Commission’s investigation into the tech giant’s privacy practices, according to details of the closed-door negotiations obtained by CNN.

The company later increased that number to $100 million, but its highest offer in the talks topped out at $1 billion, James Kohm, director of the FTC’s enforcement division and a lead agency negotiator, told CNN in an interview Wednesday.

That is far less than the $5 billion Facebook eventually agreed to pay. But it also pales in comparison to the tens of billions that the FTC initially sought from Facebook for violating a 2012 privacy-related consent order.

Kohm described that stage of the talks as early and said that Facebook’s proposals at the time were not serious. When the two sides reached a ballpark amount, the talks became more serious and shifted to other proposed measures such as changes the FTC wanted from Facebook’s governance and accountability structures.

“At several points we walked out or threatened to walk out,” said Kohm. “It was contentious, but it was professional and adult.”

Neither Zuckerberg nor COO Sheryl Sandberg were deposed as a part of the investigation, Kohm said. But, he added, the Justice Department interviewed roughly two dozen company officials, including some senior officials, and provided notes to the FTC.
The final settlement stretched on for 20 pages, said Kohm, and “every single word was negotiated.”