The Federal Trade Commission has formally announced its approval of a $5 billion settlement with Facebook over the company’s privacy policies. Shares of Facebook were down less than 1% during morning trading, shaving more than $3 billion from its market cap and bringing it around $573 billion.
The fine is the largest ever imposed by the FTC against a tech company. The previous high was a 2012 $22.5 million fine against Google for its privacy practices. The $5 billion fine against Facebook represents approximately 9% of the company’s 2018 revenue.
The FTC first started probing Facebook in March 2018 after reports that political consulting firm Cambridge Analytica had accessed the data of 87 million Facebook users. The agency was concerned that Facebook had violated the terms of a previous agreement, which required Facebook to give users very clear notifications when their data was being shared with third parties.
Separately, the Securities and Exchange Commission announced Wednesday it is charging Facebook with making misleading disclosures about the risk of misuse of user data. The SEC alleged Facebook described data misuse as hypothetical to investors when it was aware of real instances of misuse. Facebook agreed to pay $100 million to settle the charges, according to the SEC. On a call with reporters, the SEC’s deputy director of enforcement Stephanie Avakian said the $100 million figure represents the “highest penalty the SEC has ever assessed for this kind of disclosure failure.”
The FTC order mandates that Facebook create an independent privacy committee on its board of directors to remove “unfettered control” by Zuckerberg over user privacy decisions, according to the announcement. The members will be nominated by an independent nominating committee and can only be fired by a two-thirds of voting shares, which would prevent Zuckerberg from controlling the vote with his share power.
Zuckerberg will also take on new responsibilities to ensure compliance with the order, according to the announcement. Zuckerberg was not questioned by the FTC as part of the probe, The Washington Post reported, and that regulators were divided over whether to hold the executive more directly accountable.
But the order will require Zuckerberg and designated compliance officers to submit to quarterly certifications from the FTC to acknowledge that the company is in compliance with the order’s privacy program. Zuckerberg and the officers will also have to certify annually that the company is complying with the overall order, making them personally liable to tell the truth or face the potential for civil and criminal punishments. The compliance officers will be approved by the new board privacy committee and can only be removed by that committee, according to the release.
Outside of Facebook, an independent third-party assessor approved by the FTC will conduct biennial assessments and report to the new privacy committee quarterly. Facebook must notify the assessor within 30 days of discovering that data of 500 or more users has been compromised, according to the release.
In a statement, majority voters FTC Chairman Joe Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson heralded the record-breaking fine as a “historic victory for American consumers.”
“The magnitude of this penalty resets the baseline for privacy cases—including for any future violation by Facebook—and sends a strong message to every company in America that collects consumers’ data: where the FTC has the authority to seek penalties, it will use that authority aggressively,” they wrote in a statement accompanying the announcement.
The two dissenting commissioners, Rohit Chopra and Rebecca Kelly Slaughter, disagreed with this assessment.
“While it is difficult in this case to quantify the economic value of the violations to the company, there is good reason to believe $5 billion is a substantial undervaluation,” Slaugter wrote in a dissenting statement. “The fact that Facebook’s stock value increased with the disclosure of a potential $5 billion penalty may suggest that the market believes that a penalty at this level makes a violation profitable.”
They also took issue with the lack of personal accountability for Facebook’s chief executive.
“By far my biggest concern with the terms of the settlement is the release of liability, in particular the commitment that the order resolves ‘any and all claims that Defendant, its officers, and directors, prior to June 12, 2019, violated the Commission’s July 27, 2012 order,‘” Slaughter wrote. “I am also uncomfortable with the inclusion of ‘officers and directors’ in the release from ‘any [Section 5] claim known by the FTC.’ I would have preferred to name Mr. Zuckerberg in the complaint and in the order. I disagree with the decision to omit him now, and I strenuously object to the choice to release him and all other executives from any potential liability for their roles to date.
Chopra said it would be “appropriate to charge officers and directors personally when there is reason to believe that they have meaningfully participated in unlawful conduct, or negligently turned a blind eye toward their subordinates doing the same. There is precedent for the FTC not only charging individuals officers with order violations but also holding them personally liable for civil penalties, even when they were not named in the original order. This is a reasonable approach that should not be limited to cases involving smaller firms. ”
The majority voters said the settlement includes more concessions than what they would expect to receive from a court battle and allows changes to be implemented immediately.
“If the FTC had litigated this case, it is highly unlikely that any judge would have imposed a civil penalty even remotely close to this one,” they wrote. The commissioners also said they would be unlikely to secure the structural changes imposed by the settlement order through litigation since they said they would not be able to allege and prove Facebook’s board structure is illegal.
“Even assuming the FTC would prevail in litigation, a court would not give the Commission carte blanche to reorganize Facebook’s governance structures and business operations as we deem fit,” the commissioners in the majority wrote. “Instead, the court would impose the relief. Such relief would be limited to injunctive relief to remedy the specific proven violations and to prevent similar or related violations from occurring in the future.”
Slaughter wrote that even if litigation would have been the riskier option in terms of ensuring specific concessions, it would have been beneficial for public transparency.
“If a hard-fought litigation against Facebook produced a result that fell short of public expectations, the public would have every incentive to demand that Congress take steps to address deficiencies in the law,” Slaughter wrote.
In a blog post by Facebook’s general counsel Colin Stretch, Facebook said, “The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”
In the complaint accompanying the settlement, the government alleges that Facebook violated its 2012 settlement order with the agency by sharing data with third-party developers without explicit consent of some users. It alleges Facebook also misled tens of millions of users about their ability to control facial recognition technology on their accounts by turning the setting on by default.
The FTC also alleges Facebook violated the FTC Act’s prohibition against deceptive practices by failing to disclose it would use users’ phone numbers for advertising purposes when they were told it would enable a security feature called two-factor authentication. The new settlement order prohibits Facebook from using phone numbers obtained through security feature set-up to be used for advertising.
Despite the unprecedented size of the fine, both Democrats and Republicans criticized it after news of the FTC’s approval leaked, saying that Facebook should be forced to make structural changes to curb its power.
“Given Facebook’s repeated privacy violations, it is clear that fundamental structural reforms are required,” Democratic Sen. Mark Warner said in a statement on July 12. “With the FTC either unable or unwilling to put in place reasonable guardrails to ensure that user privacy and data are protected, it’s time for Congress to act.”
Republican Rep. David Cicilline called the settlement “a slap on the wrist.”
“This fine is a fraction of Facebook’s annual revenue,” he said in a statement on July 12. “It won’t make them think twice about their responsibility to protect user data.”
Facebook had expected the settlement, taking a one-time charge of $3 billionin anticipation of the FTC fine in April in the company’s first-quarter results.
The FTC also announced that it is separately taking action against Cambridge Analytica and its former CEO Alexander Nix and app developer Aleksandr Kogan for their alleged use of “false and deceptive tactics to harvest personal information from millions of Facebook users,” according to the announcement. Nix and Kogan agreed to a settlement restricted their business conduct, the FTC said.
Simons will appear in an exclusive interview with CNBC at 10:50 a.m. Eastern Time. The FTC will host a press conference on the settlement at 11 a.m. Eastern.
