FTC slaps Facebook with record $5 billion fine, orders privacy oversight

Key Points
  • The Federal Trade Commission announces a settlement with Facebook over the company's privacy policies.
  • The fine represents the largest ever imposed by the FTC against a tech company.
  • The FTC began probing Facebook in March 2018 following reports that political consulting firm Cambridge Analytica had improperly accessed the data of 87 million Facebook users.
Facebook to pay $5 billion FTC fine, but Gene Munster says resolution is months away
Facebook to pay $5 billion FTC fine, but Gene Munster says resolution is months away

The Federal Trade Commission approved a record $5 billion settlement Wednesday with Facebook over the company's privacy policies.

Shares of Facebook were down slightly following the announcement, but turned positive in the afternoon, up about 1.1% by the end of trading. Facebook recouped more than what it will have to pay out for the settlement through what it gained in market value Wednesday. The stock added more than $6 billion to its market cap to bring it over $584 billion.

The fine is the largest ever imposed by the FTC against a tech company. The previous high was a 2012 $22.5 million fine against Google for its privacy practices.

Big Tech under pressure on antitrust concerns—Here's five experts on what investors should watch
Big Tech under pressure on antitrust concerns—Here's five experts on what investors should watch

The $5 billion fine against Facebook represents approximately 9% of the company's 2018 revenue.

The 20-year settlement includes provisions that aim to create a level of independence from Facebook CEO Mark Zuckerberg's decision-making.

It was approved along party lines in a 3-2 vote by the agency's commissioners. The two dissenters, both Democrats, said it didn't go far enough.

The FTC started probing Facebook in March 2018 after reports that political consulting firm Cambridge Analytica had accessed the data of 87 million Facebook users without authorization. The agency was concerned that Facebook had violated the terms of a previous agreement, which required it to give users clear notifications when their data was being shared with third parties.

Separately, the Securities and Exchange Commission announced Wednesday it is charging Facebook with making misleading disclosures about the risk of misuse of user data. The SEC alleged Facebook described data misuse as hypothetical to investors when it was aware of real instances of misuse. Facebook agreed to pay $100 million to settle the charges, according to the SEC. On a call with reporters, the SEC's deputy director of enforcement, Stephanie Avakian, said the $100 million figure represents the "highest penalty the SEC has ever assessed for this kind of disclosure failure."

The FTC order mandates that Facebook create an independent privacy committee on its board of directors to remove "unfettered control" by Zuckerberg over user privacy decisions. The members will be nominated by an independent nominating committee and can only be fired by a two-thirds majority of voting shares, which would prevent Zuckerberg from controlling the vote with his share power.

Zuckerberg will also take on new responsibilities to ensure compliance with the order, according to the announcement. Zuckerberg was not questioned by the FTC as part of the probe, and regulators were divided over whether to hold the executive more directly accountable.

At a press conference Wednesday morning, FTC Chairman Joe Simons said it was not necessary to question Zuckerberg to get a hold of the information it needed for the probe.

"We had a huge amount of material from them like emails documents, like millions of pages," Simons said. "So we knew what the problems were, whether he was involved or not was a different thing. And so we knew what the violations were without having to do that."

In an interview with CNBC's Ylan Mui, dissenting commissioner Rohit Chopra said the FTC did not investigate enough.

"I wanted to investigate further, really uncover what was on the executives' and the directors' minds, who was calling the shots, what was their motives," said Chopra. "If we don't even get those answers, how are we going to really know what really happened?"

But the order will require Zuckerberg and designated compliance officers to submit to quarterly certifications from the FTC to acknowledge that the company is in compliance with the order's privacy program. Zuckerberg and the officers will also have to certify annually that the company is complying with the overall order, making them personally liable to tell the truth or face the potential for civil and criminal punishments. The compliance officers will be approved by the new board privacy committee and can only be removed by that committee, according to the release.

Outside of Facebook, an independent third-party assessor approved by the FTC will conduct biennial assessments and report to the new privacy committee quarterly. Facebook must notify the assessor within 30 days of discovering that data of 500 or more users has been compromised, according to the release.

In a statement, majority voters Simons and fellow Republican Commissioners Noah Joshua Phillips and Christine S. Wilson heralded the record-breaking fine as a "historic victory for American consumers."

"The magnitude of this penalty resets the baseline for privacy cases — including for any future violation by Facebook — and sends a strong message to every company in America that collects consumers' data: where the FTC has the authority to seek penalties, it will use that authority aggressively," they wrote in a statement accompanying the announcement.

The two dissenting commissioners, Democrats Chopra and Rebecca Kelly Slaughter, disagreed with this assessment.

"While it is difficult in this case to quantify the economic value of the violations to the company, there is good reason to believe $5 billion is a substantial undervaluation," Slaughter wrote in a dissenting statement. "The fact that Facebook's stock value increased with the disclosure of a potential $5 billion penalty may suggest that the market believes that a penalty at this level makes a violation profitable."

They also took issue with the lack of personal accountability for Facebook's chief executive.

"I would have preferred to name Mr. Zuckerberg in the complaint and in the order," Slaughter wrote. "I disagree with the decision to omit him now, and I strenuously object to the choice to release him and all other executives from any potential liability for their roles to date."

The majority voters said the settlement includes more concessions than what they would expect to receive from a court battle and allows changes to be implemented immediately.

"If the FTC had litigated this case, it is highly unlikely that any judge would have imposed a civil penalty even remotely close to this one," they wrote. The commissioners also said they would be unlikely to secure the structural changes imposed by the settlement order through litigation since they said they would not be able to allege and prove Facebook's board structure is illegal.

"Even assuming the FTC would prevail in litigation, a court would not give the Commission carte blanche to reorganize Facebook's governance structures and business operations as we deem fit," the majority wrote. "Instead, the court would impose the relief. Such relief would be limited to injunctive relief to remedy the specific proven violations and to prevent similar or related violations from occurring in the future."

Slaughter wrote that even if litigation would have been the riskier option in terms of ensuring specific concessions, it would have been beneficial for public transparency.

"If a hard-fought litigation against Facebook produced a result that fell short of public expectations, the public would have every incentive to demand that Congress take steps to address deficiencies in the law," Slaughter wrote.

But Simons said at a press conference Wednesday morning that the FTC had few options under the current framework.

"Our authority in these types of cases is quite limited, which is why we have encouraged Congress to consider federal privacy legislation," Simons said. "But for now, the only real world choice here was to take a historic settlement that provides an immediate and important protection to American consumers, or wait for years to get far less relief. To me, not really much of a choice at all."

A blog post by Facebook's general counsel Colin Stretch said: "The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we've done in the past."

In the complaint accompanying the settlement, the government alleges that Facebook violated its 2012 settlement order with the agency by sharing data with third-party developers without explicit consent of some users. It alleges Facebook also misled tens of millions of users about their ability to control facial recognition technology on their accounts by turning the setting on by default.

The FTC also alleges Facebook violated the FTC Act's prohibition against deceptive practices by failing to disclose it would use users' phone numbers for advertising purposes when they were told it would enable a security feature called two-factor authentication. The new settlement order prohibits Facebook from using phone numbers obtained through security feature set-up to be used for advertising.

Despite the unprecedented size of the fine, Democrats and Republicans criticized it after news of the FTC's approval leaked, saying that Facebook should be forced to make structural changes to curb its power.

"Given Facebook's repeated privacy violations, it is clear that fundamental structural reforms are required," Democratic Sen. Mark Warner said in a statement on July 12. "With the FTC either unable or unwilling to put in place reasonable guardrails to ensure that user privacy and data are protected, it's time for Congress to act."

Rep. David Cicilline, D-R.I., called the settlement "a slap on the wrist."

"This fine is a fraction of Facebook's annual revenue," he said in a statement on July 12. "It won't make them think twice about their responsibility to protect user data."

Facebook had expected the settlement, taking a one-time charge of $3 billion in anticipation of the FTC fine in April in the company's first-quarter results.

Correction: An earlier version had the wrong political party for Rep. David Cicilline. He is a Democrat.

WATCH: Here's how to see which apps have access to your Facebook data — and cut them off

Here's how to see which apps have access to your Facebook data — and cut them off
Here's how to see which apps have access to your Facebook data — and cut them off