Facebook and the US Federal Trade Commission (FTC) have agreed to a sweeping, $5 billion settlement related to Facebook’s user privacy violations. As part of the record-breaking settlement, Facebook has agreed to conduct a massive overhaul of its consumer privacy practices. The settlement also removes CEO Mark Zuckerberg as Facebook’s sole privacy decision maker.
The FTC investigation, launched following the events of the Cambridge Analytica scandal, alleges that Facebook repeatedly used “deceptive disclosures and settings to undermine users’ privacy preferences” in violation of its 2012 agreement with the FTC. The FTC also alleges that Facebook was inadequate in dealing with apps that it knew were violating its platform policies.
“These tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook ‘friends,'” the agency said. “The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.”
Going forward, Facebook will now be required to conduct a privacy review of every new product, service, or practice it develops before it’s implemented, as well as establish an independent privacy committee in an effort to strip Zuckerberg of his “unfettered control” over user privacy decisions.
Facebook will also be required to designate compliance officers who, along with Zuckerberg, will submit quarterly certifications that Facebook is in compliance with the settlement’s mandates. Meanwhile, a third-party organization will assess Facebook’s data-collection practices, including those on Instagram and WhatsApp, every other year for the next 20 years.
Additional new privacy requirements include the following:
- Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
- Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
- Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
- Facebook must establish, implement, and maintain a comprehensive data security program;
- Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
- Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
The settlement is the FTC’s largest financial penalty to date, trouncing the $22.5 million fine imposed on Google in 2012. Facebook also reached a $100 million settlement with the US Securities and Exchange Commission (SEC) for “making misleading disclosures regarding the risk of misuse of Facebook user data.” The SEC alleges that Facebook discovered the misuse of user data in 2015 but downplayed the severity of the consumer privacy risks for another two years.
In April, Facebook disclosed that in Q1, it set aside $3 billion for expenses related to the FTC probe, expecting the investigation to cost it somewhere between $3 billion and $5 billion. Facebook’s revenue for the quarter exceeded $15 billion.
“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company,” Facebook said in a blog post Wednesday morning. “It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”
In a separate announcement, the FTC revealed that it also sued Cambridge Analytica, and settled with its former CEO and the developer responsible for making the app that harvested Facebook user data.