Following more than a year of speculation since the Federal Trade Commission announced it was investigating Facebook over privacy lapses, the regulator has officially announced the terms of its settlement with the beleaguered social network: $5 billion (as previously rumored) and improved privacy oversight within the company.

The order-mandated privacy program covers Facebook-owned WhatsApp and Instagram, as well as Facebook’s eponymous social platform.

The order was approved in a 3-2 vote by the agency’s commissioners. The FTC notes that the penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy — as well as flagging that it’s “almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide”.

In addition to the money, Facebook will have to create a board committee on privacy, and must provide executive assurance that user data is being respected.

“The settlement order announced today also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight,” the FTC writes in a press release announcing the decision.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC chairman, Joe Simons, in a statement. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”

The FTC says the structure of its 20-year order against Facebook removes the “unfettered control” over privacy decisions exercised by CEO Mark Zuckerberg — by creating greater accountability at the board of directors level via the establishment of what it calls an “independent privacy committee”.

“Members of the privacy committee must be independent and will be appointed by an independent nominating committee,” it writes. “Members can only be fired by a supermajority of the Facebook board of directors.”

Facebook will also be required to designate compliance officers who will be responsible for Facebook’s privacy program.

“These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee — not by Facebook’s CEO or Facebook employees,” it writes. “Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.”

Another strand is aimed at strengthening external oversight of Facebook, with enhancements to audit processes that will take place every two years to evaluate the effectiveness of Facebook’s privacy program and identify any gaps.

“The assessor’s biennial assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management,” the FTC writes in what sounds like the end of Facebook being able to mark its own regulatory homework on its home turf.

“The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order.”

Facebook must also conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy, per the order.

While the designated compliance officers must submit a quarterly privacy review report — sharing it with the CEO and the independent assessor, as well as with the FTC upon its request.

The order also imposes security breach disclosure requirements on Facebook, which is required to document incidents when data of 500 or more users has been compromised, along with details of how it has sought to fix the problem — and provide that to the FTC and the assessor within 30 days of discovering the breach.

The FTC first confirmed that it was investigating Facebook in March of last year, during the then-new hubbub surrounding Cambridge Analytica’s abuse of data siphoned from the network. The regulator was specifically concerned that Facebook had been systematically violating the terms of its 2012 agreement, which barred them from a number of practices concerning user data.

Rumors started less than a year later that the fine the FTC was considering would be “record-setting,” though as many pointed out at the time, almost any conceivable amount would be easily (if not gladly) written off by the company, which brings in upwards of $50 billion per year in revenue.

Facebook fears no FTC fine

In April, seeing the writing on the wall and perhaps privy to some of the conversations, Facebook set aside $3 billion to cover the costs of the settlement it knew was coming (it still made a $2.4B profit), but said it expected the number may actually be $5 billion. And indeed that is the number that surfaced two weeks ago in early reports of the FTC vote. (Some had suggested fines far higher, perhaps mitigated by good behavior, but the FTC doesn’t seem to have taken them up on the idea.)

While multi-billion dollar fines make splashy headlines there could well be far greater business costs for Facebook locked up in the administrative requirements of the order.

Additionally, the FTC notes a laundry list of what it couches as “significant new privacy requirements” that it’s also imposing on the company — writing that:

  • Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
  • Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
  • Facebook must establish, implement, and maintain a comprehensive data security program;
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
  • Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

Although there are already criticisms of the order for not being strong enough — including from inside the FTC.

Rohit Chopra, one of the commissioners who voted against the settlement, has published a statement explaining why he did not support the order — warning that it “doesn’t fix the incentives causing these repeat privacy abuses” because it fails to stop Facebook from “engaging in surveillance or integrating platforms”.

“There are no restrictions on data harvesting tactics — just paperwork. $FB gets to sign off on what’s acceptable,” he writes in a set of tweets summarizing his views. 

Chopra also objects to the lack of penalties for Zuckerberg, Sheryl Sandberg, and other executives — pointing out the FTC is going after individuals attached to Cambridge Analytica’s misuse of Facebook data but letting Facebook management “get blanket immunity for their role in the violation”.

He also warns that “settlement fine print gives Facebook broad immunity for ‘known’ and ‘unknown’ violations”. “What’s covered by these immunity deals? Facebook knows but the public is kept in the dark.”

“Facebook’s flagrant violations were a direct result of their business model of mass surveillance and manipulation, and this action blesses this model. The settlement does not fix this problem. It now goes to court for approval,” he adds.

“We should all be concerned that the business incentives of big tech platform behavioral advertising spur practices that are dividing our society. When companies break the law and cause massive harm, they need to be held accountable.”

Also dissenting from the settlement is FTC commissioner Rebecca Kelly Slaughter who also takes the view that the order will not do enough to “effectively deter Facebook from engaging in future law violations” — writing that she would have preferred the agency to instigate litigation against Facebook and Zuckerberg.

“I cannot view the order as adequately deterrent without both meaningful limitations on how Facebook collects, uses, and shares data and public transparency regarding Facebook’s data use and order compliance,” she writes, adding that her “deepest concern” with the order is that “its release of Facebook and its officers from legal liability is far too broad”.

Facebook has also responded to the penalty in a lengthy blog post penned by general counsel, Colin Stretch. 

“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company,” Stretch writes. “It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.

“The accountability required by this agreement surpasses current US law and we hope will be a model for the industry. It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements. Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working — and that we find and fix them when they are not.”

Stretch goes on to describe the Cambridge Analytica data misuse scandal as “a breach of trust between Facebook and the people who depend on us to protect their data”, before claiming the company will adopt a new more “robust” approach to privacy risk.

“We will be more robust in ensuring that we identify, assess and mitigate privacy risk,” he writes. “We will adopt new approaches to more thoroughly document the decisions we make and monitor their impact. And we will introduce more technical controls to better automate privacy safeguards.”

He also says Facebook will undertake a review of its “systems” — which he says the company expects will surface “issues” — pledging that “when it does, we will work swiftly to address them”.

In the blog he also confirms Facebook has settled a separate investigation by the Securities and Exchange Commission — agreeing to pay a further $100M to resolve a probe of its processes for disclosing data abuses to investors.

“We share the SEC’s interest in ensuring that we are transparent with our investors about the material risks we face, and we have already updated our disclosures and controls in this area,” he writes, adding: “As part of the settlement with the SEC, we agreed to pay a $100 million penalty.

Zuckerberg has also posted a response to his Facebook page — writing that “we’re going to make some major structural changes to how we build products and run this company”.

He also says the company expects complying with the changes instigated by the FTC order will take “hundreds of engineers and more than a thousand people across our company”, though it’s not clear whether that means Facebook will be beefed up its headcount by 1,000 or shifting priorities of what some of its existing staff focus on.