It’s official. Facebook will pay a record-breaking $5 billion fine as part of an agreement with the Federal Trade Commission over privacy violations.
On Wednesday, both Facebook and the FTC announced the details of the finalized settlement, which stems from the Cambridge Analytica scandal.
For months, information has leaked regarding fines and other measures the FTC might use to punish and regulate Facebook. Now, we know the official details.
The privacy committee will be required to “designate compliance officers" to submit quarterly reports to the FTC to ensure the company is complying with the agreement. Also required to submit reports on the company's privacy program compliance: Zuckerberg. In addition, according to the FTC, "any false certification will subject them to individual civil and criminal penalties."
During this period, a third-party assessor will review Facebook’s privacy policies and report to the FTC. The company must also conduct its own privacy reviews of “every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy.”
Facebook must also “document incidents when data of 500 or more users has been compromised” and the actions the company has taken to rectify the issue. Facebook must report this information within 30 days of discovery.
The FTC’s order covers not only Facebook, but the company’s other products such as Instagram and WhatsApp as well.
In addition, the FTC has required that Facebook “exercise greater oversight over third-party apps” and establish and maintain a “comprehensive data security program.”
The order also addresses another major privacy violation from Facebook. Advertisers were able to access users' telephone numbers, which were provided to Facebook for security purposes, such as two-factor authentication. The order prohibits this practice.
It also requires Facebook to encrypt user passwords and regularly check to make sure none of them are stored in plaintext. The order addresses facial recognition technology by requiring that Facebook notify users and obtain consent prior to it being deployed.
While the settlement might feel significant, experts have criticized it as a slap on the wrist that won't change how business is done at Facebook.
For example, while the $5 billion fine may seem like a lot, Facebook made more than $15 billion last quarter alone. The company is expected to announce more than $16 billion in revenue for Q2.
Facebook also gets away with admitting no wrongdoing.
Chopra has specifically railed against the fact that Facebook’s top executives, including Mark Zuckerberg and Sheryl Sandberg, received “blanket for their role in the violations.” Earlier reports said that the FTC was split on holding executives like Zuckerberg personally accountable.
Chopra also pointed out that the settlement provides immunity to the company for "any and all claims prior to June 12, 2019." Basically, Facebook is now protected from legal liability related to privacy issues from before that date, whether those violations were already known to the public or not.
Experts also pointed out that many of the FTC's new privacy requirements concern issues Facebook had already addressed.
Even more settlements
Facebook also announced today that it has settled a Securities and Exchange Commission investigation regarding the company misleading its investors on privacy violation issues. The company is required to pay a $100 million fine.
Along with the Facebook settlement, the FTC announced it is suing Cambridge Analytica. The data consulting firm filed for bankruptcy last year and has not settled with the FTC regarding the commission's allegations.
The FTC also announced its settlements with app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix.
Kogan’s personality app “thisisyourdigitallife” harvested data from tens of millions of people in the U.S. which he later sold to Cambridge Analytica. Facebook says that this was against its terms of service.
As part of the settlement, Kogan and Nix “are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information.” Both are also required to destroy any personal data obtained from the personality quiz app.