In a historic judgment, the US Federal Trade Commission (FTC) on Wednesday slapped a massive $5 billion fine on Facebook over users’ privacy violations in the Cambridge Analytica scandal, along with the US Securities and Exchange Commission (SEC) directing the social networking platform to pay $100 million penalty for making misleading disclosures regarding the risk of misuse of user data.
Apart from the record-breaking $5 billion penalty, Facebook will also submit to new sweeping restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, the FTC said in a statement.
To prevent Facebook from deceiving its users about privacy in the future, the FTC’s new 20-year settlement order overhauls the way the company makes privacy decisions by boosting the transparency of decision making and holding Facebook accountable via overlapping channels of compliance.
The $5-billion fine represents nearly 9 percent of Facebook’s 2018 revenue. The decisions came as Facebook prepared to announce its second-quarter results at the end of trading on Wednesday. Facebook stock was down 2.2 percent in the pre-market trading.
Facebook CEO Mark Zuckerberg said he will make some major structural changes to how he build products and run the company.
“Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program. We’ve also asked one of our most experienced product leaders to take on the role of Chief Privacy Officer for Products,” Zuckerberg said immediately after the fines were made official.
“The next focus for our company is to build privacy protections as strong as the best services we provide. I’m committed to doing this well and delivering the best private social platform for our community,” he added.
The $5 billion penalty against Facebook is the largest-ever imposed on any company for violating consumers’ privacy — nearly 87 million users by the third-party British political consultancy firm — and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.
It is one of the largest penalties ever assessed by the US government for any violation.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations,” said FTC.
Facebook monetizes user information through targeted advertising, which generated most of the company’s $55.8 billion in revenues in 2018.
To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through Facebook’s privacy settings.
Following a year-long investigation by the FTC, the Department of Justice will file a complaint on behalf of the Commission alleging that Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.
“These tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook ‘friends.'”
“The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing,” the statement read.
The FTC order said Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program.
“Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties,” said the order.
In a separate order, the US SEC announced charges against Facebook for making misleading disclosures regarding the risk of misuse of user data.
“For more than two years, Facebook’s public disclosures presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data,” SEC said in a statement.
According to the SEC’s complaint, in 2014 and 2015, Cambridge Analytica paid an academic researcher, through a company he controlled, to collect and transfer data from Facebook to create personality scores for approximately 30 million Americans.
In addition to the personality scores, the researcher, in violation of Facebook’s policies, also transferred to Cambridge Analytica the underlying Facebook user data, including names, genders, locations, birthdays, and “page likes.”
Cambridge Analytica used this information in connection with its political advertising activities.
“Public companies must accurately describe the material risks to their business. As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had, in fact, been misused,” said Stephanie Avakian, Co-Director of the SEC’s Enforcement Division.