After months of negotiations, the Federal Trade Commission fined Facebook a record-setting $5 billion on Friday for privacy violations, according to multiple reports. The penalty comes after an investigation that lasted over a year, and marks the largest in the agency’s history by an order of magnitude. If approved by the Justice Department’s civil division, it will also be the first substantive punishment for Facebook in the US, where the tech industry has gone largely unregulated. But Washington has taken a harsher stance toward Silicon Valley lately, and Friday’s announcement marks its most aggressive action yet to curb its privacy overreaches.
Full details of the settlement were unavailable Friday afternoon, and the FTC and Facebook both declined to comment. The Wall Street Journal first reported the news. It’s unclear how long it will take for the Justice Department to review the terms. In the meantime, important questions remain unanswered, including whether the FTC has opted to hold Facebook CEO Mark Zuckerberg personally liable for the company’s privacy violations, and what sort of external oversight Facebook must submit to going forward.
The FTC opened its investigation into Facebook’s data practices last March, one week after news broke that Cambridge Analytica, a political consulting firm that worked with the Trump campaign in 2016, had improperly obtained information on tens of millions of Facebook users. The data was purchased from an academic who used a personality profiling app to collect information not just from consenting users but, thanks to Facebook’s lax privacy policies at the time, from all those users’ friends—without their knowledge. Facebook didn’t cut off that access until 2015.
But in 2011, Facebook had promised the FTC that it would not share data with third parties without users’ affirmative consent, as part of a settlement agreement over charges that the company deceived consumers about its privacy practices. It appears that the regulator has found that Facebook violated that consent decree.
“We don’t think a fine matters. We need a structural solution here.”
Matt Stoller, Open Markets Institute
The reported fine far surpasses the previous largest privacy-related penalty that the FTC has levied, a $22.5 million strike against Google in 2012 over its privacy policies on the Safari browser. But even $5 billion would be a drop in the bucket for Facebook, which generated $15 billion in revenue last quarter alone. When Facebook disclosed in its Q1 earnings report that it had set aside $3 billion to $5 billion to cover the costs of the settlement, its stock price soared.
Some of Facebook’s biggest critics had previously expressed doubt that any amount of money could sufficiently punish a company of Facebook’s size. “They can issue a really big fine, which is just a parking ticket,” Matt Stoller, a fellow at the anti-monopoly think tank Open Markets Institute, recently told WIRED. “We don’t think a fine matters. We need a structural solution here.”
In a letter to the FTC in early May, Senators Richard Blumenthal (D-Connecticut) and Josh Hawley (R-Missouri) argued that the FTC should “compel sweeping changes to end the social network’s pattern of misuse and abuse of personal data.”
“Personal responsibility must be recognized from the top of the corporate board down to the product development teams,” the letter read. “If the FTC finds that any Facebook executive knowingly broke the consent order or violated the law, it must name them in any further action.” Whether the FTC did so remains one of the biggest open questions around this settlement, one made all the more intriguing after the recent disclosure of emails, again in The Wall Street Journal, that appear to indicate that Zuckerberg was aware of the company’s “questionable” privacy practices.
The Cambridge Analytica scandal spurred a rising awareness of data rights in the United States, as Facebook and other tech companies were repeatedly called to answer for broken promises and failures to protect user data. The FTC’s apparent decision comes amid a growing demand for more action to rein in Big Tech. In Congress, lawmakers on both sides of the aisle have called for federal legislation to protect the privacy rights of Americans, while a number of state legislatures already have passed or are considering privacy bills of their own.
The concerns over Big Tech aren’t limited to privacy, either. The FTC formed a task force to investigate both future and past mergers in the industry earlier this year and now, along with the Justice Department, is reportedly scrutinizing major companies like Facebook and Google over antitrust concerns. Massachusetts senator and Democratic presidential candidate Elizabeth Warren has proposed splitting up tech platforms that also do business on those platforms and reviewing past mergers, including Facebook’s acquisition of Instagram and WhatsApp. A number of conservative politicians, including President Trump, have accused social media companies of liberal bias and censorship.
New details have also emerged about how Facebook had brokered special data deals with device manufacturers and large companies, even after the company cracked down on data access in 2015. One such company that received extended access was the Russian internet giant Mail.ru. Facebook also suffered a massive data breach, exposing some 30 million accounts.
And earlier this year, TechCrunch published a report detailing how used an app called Research to observe every move users made on their phones in order to spy on the competition. Not only that, but Facebook used a loophole to distribute the app to iPhone users, after Apple kicked another, similar Facebook app, out of its App store.
All of this has triggered a change of heart—or at least a change in public positioning—for the company. In March, Facebook CEO Mark Zuckerberg launched a privacy roadshow of sorts, first revealing in a lengthy blog post his vision for a new type of privacy-focused social network. This social network would focus on messaging, enabling people to send end-to-end encrypted messages across Facebook Messenger, Instagram, and WhatsApp, and moving into newer areas like payments and commerce. Later that month, Zuckerberg wrote an op-ed in The Washington Post, expressing his support for regulation focused on “harmful content, election integrity, privacy and data portability.”
“I believe Facebook has a responsibility to help address these issues, and I’m looking forward to discussing them with lawmakers around the world,” Zuckerberg wrote. “But people shouldn’t have to rely on individual companies addressing these issues by themselves. We should have a broader debate about what we want as a society and how regulation can help.”
Facebook and other tech companies have spent years lobbying against regulations, including, in particular, a privacy bill in California and federal regulations that would have placed stricter oversight on digital political ads.
The reported FTC fine, hefty as it is, doesn’t mean the company’s regulatory woes are over. Facebook still faces multiple investigations in the US. The Securities and Exchange Commission launched a probe last year in the wake of the Cambridge Analytica revelations. Earlier this year, Facebook’s data deals with other companies sparked a criminal investigation by federal prosecutors in the Eastern District of New York. The company is also facing a lawsuit from the US Department of Housing and Urban Development, filed in April, over allegations its advertising platform enabled housing discrimination. When rumors of possible antitrust investigations leaked last month, reports described the FTC negotiating a claim over any future looks into Facebook. And that’s before you even get to Europe, where the General Data Protection Act has put Facebook squarely in the sights of EU regulators.
If approved, Friday’s apparently FTC settlement would set a precedent for how federal regulators plan to approach tech giants at a time of rising awareness about data rights. But not even $5 billion will effect real change without comprehensive reform to back it up.