The deal comes amid growing calls in Washington for greater transparency and accountability for technology companies, whose power over social movements as well as personal information has increasingly come to be seen as dangerous by politicians, users, and even one of Facebook’s co-founders.
Facebook agreed to the deal following years of damaging admissions about the company’s privacy practices, such as the inadvertent exposure of up to 87 million users’ information to the political analysis firm Cambridge Analytica.
The settlement resolves a formal complaint by the FTC alleging that Facebook “used deceptive disclosures and settings” that eroded user privacy, violating a prior agreement Facebook signed with the commission in 2012. Facebook also broke the law, the FTC alleged, by misusing phone numbers obtained for account security purposes to also target advertisements to its users. And the company allegedly deceived “tens of millions of users” by implying that a facial recognition feature on the service had not been enabled by default, when in fact it had.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” said Chairman Joseph Simons in a statement. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
In a Facebook post
published shortly after the FTC’s announcement Wednesday, company CEO Mark Zuckerberg said, “We’ve agreed to pay a historic fine, but even more important, we’re going to make some major structural changes to how we build products and run this company. We have a responsibility to protect people’s privacy. We already work hard to live up to this responsibility, but now we’re going to set a completely new standard for our industry.”
Separately Wednesday, the Securities and Exchange Commission announced that Facebook had agreed to pay $100 million to settle “charges… for making misleading disclosures regarding the risk of misuse of Facebook user data.”
Facebook’s stock was down slightly when the market opened Wednesday morning.
The FTC settlement — which also covers Facebook subsidiaries Instagram and WhatsApp — could set the tone for a wave of further action by policymakers worldwide as they seek to rein in the most powerful players in Silicon Valley.
The $5 billion fine is nearly 30 times the FTC’s largest-ever civil penalty to date — $168 million, which was levied on Dish Network (DISH) in 2017 — reflecting the tremendous scale of Facebook’s operations, as well as the enormity of its self-admitted mistakes.
In addition to the record civil penalty, Facebook also agreed to accept greater oversight of its privacy practices. Under the FTC deal, Facebook’s board will form a privacy oversight committee made up of independent members who cannot be fired by Zuckerberg alone. That committee will be charged with appointing still other officials who must periodically and truthfully certify that Facebook is complying with the FTC agreement, or risk being held personally liable. Zuckerberg will also be required to make those same certifications, the FTC said.
“False certifications would subject Mr. Zuckerberg and the [designated compliance officers] to personal liability, including civil and criminal penalties,” Simons said in a statement written jointly with the Commission’s two other Republican members, Christine Wilson and Noah Phillips.
The FTC also required that regular third-party assessments of Facebook’s privacy practices not rely on company materials but instead on the auditor’s own fact-finding.
The FTC voted 3-2 to approve the settlement, with the agency’s two Democrats dissenting because they believed the measure did not go far enough. In dissents, Commissioners Rohit Chopra and Rebecca Slaughter said they believed the fines were far too small, and that the FTC wrongfully gave Zuckerberg and Facebook COO Sheryl Sandberg a pass.
“Failing to hold them accountable only encourages other officers to be similarly neglectful in discharging their legal obligations,” wrote Chopra. “In my view, it is appropriate to charge officers and directors personally when there is reason to believe that they have meaningfully participated in unlawful conduct, or negligently turned a blind eye toward their subordinates doing the same.”
Other prominent tech critics, including Democratic Sen. Richard Blumenthal of Connecticut and Missouri Republican Sen. Josh Hawley, have said a $5 billion fine would be “a bargain” for Facebook. In an earnings report earlier this year, Facebook said it was setting aside $3 billion to help cover expenses related to the expected penalty. It reported quarterly revenues of $15 billion at the time and its stock rose after it announced the charge, signaling investors were relieved by the probable outcome.
Facebook initially offered to pay $0 to resolve the Federal Trade Commission’s investigation into the tech giant’s privacy practices, according to details of the closed-door negotiations obtained by CNN.
The company later increased that number to $100 million, but its highest offer in the talks topped out at $1 billion, James Kohm, director of the FTC’s enforcement division and a lead agency negotiator, told CNN in an interview Wednesday.
That is far less than the $5 billion Facebook eventually agreed to pay. But it also pales in comparison to the tens of billions that the FTC initially sought from Facebook for violating a 2012 privacy-related consent order.
Kohm described that stage of the talks as early and said that Facebook’s proposals at the time were not serious. When the two sides reached a ballpark amount, the talks became more serious and shifted to other proposed measures such as changes the FTC wanted from Facebook’s governance and accountability structures.
“At several points we walked out or threatened to walk out,” said Kohm. “It was contentious, but it was professional and adult.”
Neither Zuckerberg nor COO Sheryl Sandberg were deposed as a part of the investigation, Kohm said. But, he added, the Justice Department interviewed roughly two dozen company officials, including some senior officials, and provided notes to the FTC.
The final settlement stretched on for 20 pages, said Kohm, and “every single word was negotiated.”
Formore than a year, Facebook — once the darling of policymakers and a celebrated example of American ingenuity — has lurched from crisis to crisis.
This past October, for example, Facebook disclosed that hackers had compromised tens of millions of accounts by exploiting a series of software flaws, culminating in their ability to impersonate users and take over their profiles.
The following month, Facebook acknowledged that its platform had been abused in Myanmar to “foment division and incite violence,” citing a human rights review of Facebook that the company had commissioned. Facebook at the time said it agreed with the independent report and that “we can and should do more.”
Critics have repeatedly pointed to Facebook’s role in spreading misinformation, hate speech and conspiracy theories on its platforms. The company came under fire in March when reports showed that Facebook’s search tool was recommending anti-vaccination groups and pages to users of the platform. Facebook published a blog post saying it was developing new policies to handle the issue, but the misinformation persisted even after the new initiative began.
That same month, Facebook faced renewed criticism over its content moderation efforts when a Facebook Live video that appeared to show a gunman massacring worshipers in Christchurch, New Zealand, threatened to spiral out of control. Though Facebook shut down the attacker’s account and scrubbed more than a million instances of the video from its services, the company struggled to contain the viral content.
With Wednesday’s announcement, the FTC sought to demonstrate its resolve as the nation’s top privacy cop, attempting to show it is a robust and credible enforcer at a time when tech dominates nearly all aspects of modern life, from advertising to communications and entertainment.
Over more than a year, the FTC investigation gained increasing significance as a test of Washington’s commitment and ability to regulate Silicon Valley. It marked a sharp divergence from the Obama era, when Silicon Valley engineers and entrepreneurs were frequent White House visitors and, in many cases, filled key administration posts. Now, at a time when technology companies are under heightened scrutiny from Congress and on the receiving end of President Trump’s social media jabs, analysts say the FTC was under pressure to seek a tough deal from Facebook.
But the settlement, which must still be approved by a judge, proved much weaker than some commissioners had hoped. Chopra and Slaughter both said the far-reaching consequences of Facebook’s missteps called for more aggressive action.
The federal government should have taken Facebook to court to deter it from violating the law in the future, Slaughter wrote in her dissent.
“Litigation would have provided public transparency and accountability for the company, its leaders, and the Commission,” she wrote. “It would send a message to the market and the public that the Commission is willing to go to the mat to ensure compliance with its orders.”
The settlement does not require Facebook to spin off Instagram and WhatsApp; antitrust experts have said that a breakup proceeding would likely require a separate lawsuit alleging that Facebook violated the nation’s competition laws, as opposed to a prior settlement order.
FTC officials had initially wanted a fine in the “tens of billions” but feared it would not pass muster with a judge, The Washington Post reported Tuesday.
Simons acknowledged some of the agency’s constraints on Monday as he announced a multi-million-dollar settlement with the credit reporting agency Equifax (EFX) over its 2017 data breach. In a press briefing, Simons said the FTC did not slap Equifax with a fine because the commission lacks the power to seek those penalties on a first offense.
FTC proponents have also said the agency needs more resources to better serve as an effective regulator. In 2018, the FTC reported a total budget of roughly $350 million — about two percent of Facebook’s reported revenue in the first quarter of 2019.
The FTC announcements this week may add pressure on Congress to give the agency more power or to develop a national privacy law, some analysts said.
“There’s a need and a demand for legislation irrespective of this [Facebook] settlement,” said Hal Singer, an economist at George Washington University’s Institute of Public Policy.
Such a bill could have far-reaching effects, potentially touching every corner of the economy as technology increasingly finds its way into new areas. But progress on the legislation has been slow, and many policy experts privately say they increasingly doubt a bill can be passed this year.
Facebook faced sharp questioning from Congress last week as a key panel on the House Judiciary Committee continued a “top-to-bottom” antitrust review of the tech industry. Lawmakers on other committees scrutinized Facebook’s plans to launch a digital currency, Libra, with many arguing Facebook must reform itself before trying to disrupt the global financial system.
The “techlash,” as some observers have come to call it, is a remarkable break from recent history — particularly for many Democrats who otherwise share close ties culturally and financially with Silicon Valley. For the tech industry, it represents a dramatic shift in attitudes about its role in civil society.
“These questions of trust and privacy are not limited to Google and Facebook,” said Todd McKinnon, CEO of the cloud services company Okta. “If you’re a laundromat and you have a mobile app that gets your customers in there, you’re a tech company — so the techlash is going to affect your laundromat. It sounds funny, but it’s true.”
Meanwhile on the campaign trail, presidential candidates such as Sens. Elizabeth Warren (D-Mass.) and Bernie Sanders (I-Vt.) have criticized tech giants for being overly powerful and part of a larger wave of corporate concentration that must be beaten back. In March, Warren unveiled a campaign proposal that would all but dismantle giants such as Amazon, Facebook and Google. Sen. Amy Klobuchar, another 2020 Democratic contender, has said the tech industry has contributed to a “major monopoly problem” in the United States.
Facebook has claimed that a breakup would make it harder, not easier, to address problems such as disinformation and hate speech, and that over-regulation risks giving foreign tech companies an edge.
Republicans such as Sen. Marsha Blackburn (R-Tenn.) have also called for greater limits on tech companies. In a recent speech before the U.S. Chamber of Commerce, Blackburn said it is too early to consider breaking up large tech platforms, but that companies such as Facebook have shown they can no longer regulate themselves.
Wednesday’s settlement, however, isn’t likely to deter states that are taking their own close look at Silicon Valley.
Multiple state attorneys general have suggested they could pile on with their own investigations or lawsuits against the tech industry. In December, Karl Racine, attorney general for the District of Columbia, became the first when his office sued Facebook over the Cambridge Analytica debacle.
And the FTC itself could open additional investigations, said Harold Feld, a senior vice president at the consumer group Public Knowledge. A recently established task force charged with reviewing past tech mergers could, for example, seek to determine whether Facebook’s acquisition of WhatsApp or Instagram proved harmful to competition.
“It’s very clear that the settlement is not the end of the game,” said Feld.
The hotel chain said in a regulatory filing Tuesday that Britain’s Information Commissioner’s Office intends to impose a £99 million ($124 million) fine under the General Data Protection Regulation (GDPR).
The regulator said that the penalty stems from a Marriott data breach that exposed 339 million guest records globally, including 30 million Europeans. Marriott has said the hack began in 2014 but was only discovered in November 2018, shortly before it reported the breach.
It’s the second major fine proposed by the regulator this week. On Monday, the ICO said that British Airways (ICAGY) faces a £183.4 million ($230 million) fine after a breach compromised data on 500,000 customers.
Marriott (MAR) said that it would appeal any fine imposed by the regulator.
“We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect,” Marriott International CEO Arne Sorenson said in a statement.
GDPR forces companies to make sure the way they collect, process and store data is safe.
Any organization that holds or uses data on people inside the European Union is subject to the rules, regardless of where it is based. Companies that breach the law can be fined up to 4% of their annual revenue.