Facebook has agreed to pay more than $5bn to settle its cases with US regulators over misusing user data, in two settlements that it hopes will help alleviate some of the political hostility it has faced since the Cambridge Analytica scandal.
The Federal Trade Commission announced on Wednesday it had agreed a settlement with the social media company, which marked the largest civil penalty the commission has ever handed out.
Facebook has also agreed to impose new privacy protections as part of the agreement, including setting up a privacy committee, which will be independent from the board, and to appoint individual privacy compliance officers.
Mark Zuckerberg, chief executive, and the privacy officers will be required to certify that the company is in compliance with Facebook’s privacy programme on a quarterly basis. “Any false certification will subject them to individual civil and criminal penalties,” the FTC said.
Separately, the company has also agreed to pay $100m to the Securities and Exchange Commission, which said Facebook had made misleading disclosures over the misuse of user data.
The cases were both launched in the wake of the Cambridge Analytica data scandal in which user data were leaked to a political research group through a third-party app.
Since the scandal, Facebook has faced a barrage of criticism from regulators and politicians in Europe and the US, which have accused the company not only of misusing user data but also allowing its platforms to be used to spread disinformation.
Facebook’s shares were down 0.6 per cent in morning, trading at $201, suggesting the settlement was broadly as investors had expected.
An ‘unprecedented’ penalty
Joe Simons, the chair of the FTC, said of the Facebook settlement: “The magnitude of the $5bn penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
The decision has split the FTC internally however, with the two Democratic commissioners voting against the settlement for not going far enough.
In a dissenting statement, Rohit Chopra, one of the Democratic commissioners, said: “The proposed settlement does little to change the business model or practices that led to the recidivism.
“The settlement imposes no meaningful changes to the company’s structure or financial incentives, which led to these violations. Nor does it include any restrictions on the company’s mass surveillance or advertising tactics.”
Six key terms of Facebook’s deal with the FTC
– Facebook must launch an independent privacy committee, which the FTC says will remove the “unfettered control” of chief Mark Zuckerberg over privacy-related decisions.
– The company must create a team of privacy compliance officers, who must, with Zuckerberg, certify that the company is in compliance with Facebook’s privacy programme on a quarterly basis to the commission. “Any false certification will subject them to individual civil and criminal penalties,” the FTC said.
– Facebook must document incidents when data of 500 or more users has been compromised and notify the commission within 30 days.
– The company must “exercise greater oversight” over third-party apps, and cut off app developers that fail to certify that they are in compliance with its policies or justify why they need certain data.
– Facebook must make clear to users its use of facial recognition technology and gain consent from them if it changes the way it uses this technology.
– The company must introduce a “comprehensive data security program”, encrypt users’ passwords and regularly check they are stored in this way.
As part of the agreement, Facebook will have to report to the FTC within 30 days if there has been any data breach that affects 500 or more users.
The order also “resolves all consumer-protection claims known by the FTC prior to June 12, 2019”. This means that recent potential data breaches, such as revelations earlier this year that Facebook improperly stored hundreds of millions of its users’ passwords internally in a readable format, will not be pursued.
It does not impose any restrictions on how much data the company can collect, or how it uses it to target advertising at certain groups. Mr Chopra said: “The order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail.”
Christine Wilson, one of the FTC’s Republican commissioners, said: “We do not have the legal authority to remove Mr Zuckerberg from the driver’s seat, but we have imposed a robust system of checks and balances that extinguishes his ability unilaterally to chart the path for consumer privacy at Facebook.”
A ‘sharper turn’ towards privacy
Colin Stretch, Facebook’s general counsel, said in a blog post that the agreement “will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past”.
In a separate post, Facebook said on Wednesday that it had cut off access to users’ friend data by Microsoft and Sony. Late last year the company ended a dozen data-sharing agreements with big tech companies following concern that users were unclear how their data were being used and shared. However, Microsoft and Sony had continued to access some friend data by “mistake”, Facebook said.
The FTC accused Facebook of three separate violations of a previous agreement with the regulator. First, it said that the company incorrectly told consumers that they could limit the sharing of their information to certain groups, whereas it was sharing that information more broadly, with third party app developers.
Second, Facebook did not adequately assess and address privacy risks posed by third party app developers.
Third, Facebook told some users they would have to turn on facial recognition technology, even though it was already on by default.
The FTC also announced on Wednesday that it had filed a complaint against Cambridge Analytica for “deceptive acts and practices to harvest personal information from Facebook users for political and commercial targeted advertising purposes”.
The company, which has now gone bankrupt, has not settled the allegations, the FTC said. However, the FTC settled individual charges with Alexander Nix, Cambridge Analytica’s chief executive, and app developer and academic Aleksandr Kogan, which will now require them to be more transparent about how and why they handle personal information, and to delete any personal data they collected during the scandal.
