Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

It's Official: FTC Fines Facebook $5 Billion

Mark Zuckerberg Must Ensure Compliance With Commission's Order
It's Official: FTC Fines Facebook $5 Billion
Facebook CEO Mark Zuckerberg

On Wednesday, the U.S. Justice Department and the Federal Trade Commission officially announced a privacy settlement with Facebook that includes a record-setting $5 billion fine.

See Also: Cyber Insurance Assessment Readiness Checklist

A federal judge still must finalize the agreement, according to the FTC.

Facebook agreed to several new measures to ensure that personal information is protected on its platform. CEO Mark Zuckerberg, along with other company compliance officers, must submit quarterly and annual reports to show that the company is in compliance with the FTC order.

In addition to the FTC fine, the U.S. Securities and Exchange Commission announced Wednesday a $100 million fine against Facebook related to making misleading statements to investors.

While Facebook's current issue with the FTC is now over, the company is likely to face an even larger test ahead. During its second-quarter earnings call on Wednesday, the company acknowledged it's facing an antitrust probe by the Justice Department. "In June 2019, we were informed by the FTC that it had opened an antitrust investigation of our company. In addition, in July 2019, the Department of Justice announced that it will begin an antitrust review of market-leading online platforms," according to a company statement.

Facebook also reported Wednesday that it had set aside an additional $2 billion to cover the cost of the FTC fine, supplementing $3 billion set aside earlier in the year (see: Facebook Takes $3 Billion Hit, Anticipating FTC Fine)

FTC Votes 3-2

As previously reported, the FTC recently voted 3-2 to approve the fine against Facebook, with three Republican members voting in favor and the two Democratic members voting against it.

"The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” says FTC Chairman Joe Simons. The settlement is designed “to change Facebook's entire privacy culture to decrease the likelihood of continued violations," he adds.

While Simons and other Republicans on the commission praised the settlement, the two Democratic commissioners disagreed, with Commissioner Rohit Chopra tweeting that the agreement did not go far enough.

Zuckerberg’s Accountability

In addition to paying the record fine, Facebook agreed to form an independent privacy committee within the company's board of directors to oversee its behavior when it comes to user data and personal information and how it's used, according to the new agreement. That committee must approve new compliance officers for Facebook - including CEO Mark Zuckerberg - who now must submit quarterly and annual reports to show that the company is in compliance with the FTC order.

As part of the agreement, the FTC notes that new rules for the company and the privacy committee remove "unfettered control by Facebook's CEO Mark Zuckerberg over decisions affecting user privacy."

(Image: FTC)

In a post Wednesday, Zuckerberg writes that his company will now treat user data in much the same way it treats financial data under various government rules and regulations.

"As part of this settlement, we're bringing our privacy controls more in line with our financial controls under the Sarbanes-Oxley legislation," Zuckerberg says. "Our executives, including me, will have to certify that all of the work we oversee meets our privacy commitments. Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program. We've also asked one of our most experienced product leaders to take on the role of chief privacy officer for products."

Year-Long Investigation

Wednesday's announcement ends a year-long commission investigation into Facebook's misuse of its user data and its violation of a 2012 agreement with the FTC.

The investigation was launched in March 2018 as a result of the Cambridge Analytica controversy over how the now-defunct voter profiling firm improperly obtained profile data for 87 million Facebook users without their consent (see: Facebook and Cambridge Analytica: Data Scandal Intensifies).

Cambridge Analytica obtained about 87 million users' profile data from Aleksandr Kogan, a Cambridge University lecturer who deployed a quiz app on Facebook around 2013.

The app, called "This is Your Digital Life," collected the personal information for people who used it as well as that of their friends, who had not provided their consent. Facebook later changed it rules to prevent such data harvesting. Kogan shared the data in violation of Facebook's policies. The brief work Cambridge Analytica conducted for President Donald Trump's 2016 campaign, as well as rising awareness among the public of how their personal data is collected and transferred to third parties, helped trigger the investigation.

The FTC also announced Wednesday that the commission would file a lawsuit against Cambridge Analytica. As part of that legal action, former CEO Alexander Nix and ex-app developer Kogan agreed to restrict how they conduct any business, according to the commission.

New Standards

The FTC charged that Facebook shared its users' personal information with third-party application developers and that many users and their friends did not know the company was sharing that data with others and there was no way to opt out of sharing.

Under the original August 2012 consent order with the FTC, Facebook was required to obtain permission from consumers before making changes to privacy settings. That same agreement also barred the company from sharing data of its users to third parties without their consent. The FTC required Facebook to obtain third-party audits every two years certifying that it is in compliance with the settlement and had a privacy and security program in place.

As part of the new agreement announced Wednesday, Facebook must ensure that third-party applications are within compliance for user privacy, and it also must document when personal information from 500 or more users is compromised, according to the FTC agreement.

Under the settlement, Facebook must also stop asking for email passwords when consumers sign up for other services. It’s also now barred from using telephone numbers that it gathers in security features, such as two-factor authentication, for advertising purposes. The company must also get user consent to use data from facial recognition technology.

Money Set Aside for Fine

Facebook and the FTC privately negotiated the settlement for months.

The agreement between Facebook and the FTC comes as government agencies, especially in Europe, are beginning to hold companies more responsible for how they use or misuse users data.

Over the last several weeks, U.K. regulators signaled their intent to fine British Airways £184 million ($230 million) and hotel giant Marriot £99 million ($125 million) over data security incidents under the E.U.'s General Data Protection Regulation (see: Marriott Faces $125 Million GDPR Fine Over Mega-Breach).

In the U.S., however, there is no universal, federal privacy law covering consumer data. So the FTC's strategy has been to allege violations of the FTC Act, which is intended to protect consumers from unfair and deceptive practices.

(Also see: Facebook Fixing Messenger Kids App Flaw)

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.