Facebook must pay a record-breaking $5 billion fine as part of a settlement with the Federal Trade Commission, by far the largest penalty ever imposed on a company for violating consumers' privacy rights.
Facebook also agreed to adopt new protections for the data users share on the social network, and to measures that limit the power of CEO Mark Zuckerberg.
"We've agreed to pay a historic fine, but even more important, we're going to make some major structural changes to how we build products and run this company, Zuckerberg posted on Facebook.
Under the settlement, which concludes a year-long investigation prompted by the 2018 Cambridge Analytica scandal, the social networking giant must expand its privacy protections across Facebook itself, as well as on Instagram and WhatsApp. It must also adopt a corporate system of checks and balances to remain compliant, according to the FTC order. Facebook must also maintain a data security program, which includes protections of information such as users' phone numbers.
The company separately agreed to pay $100 million to settle data misuse charges brought by the Securities and Exchange Commission.
"Public companies must accurately describe the material risks to their business," Stephanie Avakian, co-director of the SEC's Enforcement Division said in a statement. "As alleged in our complaint, Facebook presented the risk of misuse of users data as hypothetical when they knew user data had in fact been misused."
Facebook's privacy practices have long been in the government crosshairs and under under the scrutiny of consumer watchdog groups, not all of which are satisfied with the terms of today's agreement.
Zuckerberg has appeared in congressional hearings after the Cambridge Analytica scandal surfaced. Facebook suspended the data analysis and political consulting firm Cambridge Analytica in March 2018 for improper access to user data. That move came after The New York Times and The Observer said Cambridge Analytica had access to 50 million profiles and used them to target ads during the 2016 presidential election campaign. At the time, Facebook said it knew the firm had violated its policies by obtaining and secretly passing on the data, which users had agreed to share with a personality prediction app.
The separate SEC complaint also dates back to Facebook's response to Cambridge Analytica. The allegation, which Facebook even in agreeing to the final $100 million judgment neither admits or denies, is that in 2014 and 2015, Cambridge Analytica paid an academic researcher to "collect and transfer data from Facebook to create personality scores for approximately 30 million Americans" and that Facebook discovered this misuse in 2015, but failed to correctly disclose it for more than two years.
The $5 billion FTC fine is nearly 20 times greater than the largest privacy or data security penalty that has even been assessed worldwide, and is one of the largest ever imposed by the U.S. government for any violation.
As part of the settlement, the FTC's order also curbs Zuckerberg's oversight in privacy and security matters, with the requirement Facebook create a new privacy committee with independent board members who cannot be removed without a two-thirds shareholder vote. Zuckerberg and designated compliance officers each must submit individual quarterly compliance reports to the FTC.
Additionally, a third-party assessor will monitor Facebook's privacy-related decisions going forward.
The commission approved the settlement with a 3-2 vote, with the dissenting commissioners wanting tougher action taken against Zuckerberg.
But the order achieves more than the FTC could have achieved by going to court, says chairman Joe Simons and the commissioners Noah Joshua Phillips and Christine Wilson, who approved the settlement in their lengthy statement.
"The Order significantly diminishes Mr. Zuckerberg’s power – something no government agency, anywhere in the world, has thus far accomplished," the statement says.
"The provisions of this Order extinguish the ability of Mr. Zuckerberg to make privacy decisions unilaterally by also vesting responsibility and accountability for those decisions within business units, DCOs (digital compliance officers), and the privacy committee."
The settlement hasn't placated Facebook's harshest critics.
"A penalty that doesn’t require real structural changes, that financially is a drop in the bucket, and that appears to absolve Facebook of any liability over additional abuses like tricking kids into in-app purchases, is a get out jail free card for Facebook and sends a signal to the rest of the industry that business as usual is acceptable," said Common Sense CEO James Steyer in a statement. "This punishment simply does not fit the crime and we strongly encourage policymakers to consider this just the very beginning of a long way we have to go to hold Facebook and the tech industry accountable for protecting the privacy of users, especially young people."
Consumer Reports president and CEO Marta Tellado, added, “As expected, the size of the settlement is historic, but these attempts to hold Facebook accountable are not enough to make a real difference. With a weak and under-resourced FTC, and a glaring need for far more comprehensive privacy laws, Congress must raise the standards for consumers and hold Big Tech accountable."
Earlier this week, the FTC, Consumer Financial Protection Bureau and 50 states and territories reached a settlement with credit-reporting company Equifax over allegations that it did not implement sufficient security measures to prevent a massive data breach. Equifax must pay at least $575 million and potentially as much as $700 million.
Previously, the FTC’s highest fines were to Google, which paid $22.5 million in 2012 and Upromise, which paid $500,000 in 2017.
Facebook agreed to the settlement with the agency over allegations it broke a previous agreement over privacy protections.
The changes the company agreed to will likely make it take longer to bring new features to Facebook and its other products, Zuckerberg said.
But, it is the company's "responsibility to protect people's privacy. We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry," Zuckerberg said. "Overall, these changes go beyond anything required under US law today. The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone."
Facebook (FB) shares were down more than 1% in early trading to $199.94; shares have risen 47% so far this year. The company is expected to release its second quarter 2019 after the market closes Wednesday.
The FTC also announced separate settlements with Cambridge Analytica, its former CEO Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company. The actions allege Cambridge "used false and deceptive tactics to harvest personal information from millions of Facebook users" and all face restrictions on future business.