Facebook Inc. agreed to pay a record $5 billion to resolve a U.S. investigation into years of privacy violations, a settlement that increases the board of directors’ responsibility for protecting users’ data while changing little about the company’s lucrative advertising business.
The agreement, announced Wednesday by the Federal Trade Commission, will for the first time end Chief Executive Officer Mark Zuckerberg’s final authority over privacy decisions, creating an independent privacy committee of directors on the company’s board, according to an FTC statement.
The accord will also require Facebook to keep a tighter leash on third-party apps, perform regular sweeps for unencrypted passwords and refrain from using telephone numbers obtained for security purposes for advertising. It also calls for the company to conduct privacy reviews of new offerings and submit to new privacy certifications and assessments.
“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company,” Facebook said in a statement. “It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.” Facebook said it hopes the agreement, which requires greater accountability than is currently required under U.S. law, will be “a model for the industry.”
Facebook shares fell 2.5% to $178.34 at 10:12 a.m. in New York.
Still, the agreement, which was approved by the FTC’s Republican majority by a vote of 3-2, does little to alter Facebook’s structural data collection practices, which are at the heart of its business model. While the fine is steep, it’s far from devastating for Facebook, which reported sales of almost $56 billion in 2018. It had set aside $3 billion in anticipation of the fine.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” Chairman Joseph Simons said in a statement. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
While the fine is the largest ever imposed by the FTC for a privacy violation, it didn’t satisfy the agency’s two Democratic commissioners, Rebecca Kelly Slaughter and Rohit Chopra, who voted against it.
“When companies can violate the law, pay big penalties, and still turn a profit while keeping their business model intact, enforcement agencies cannot claim victory,” Chopra said in a statement. He said the settlement did little to empower the board to represent users rather than shareholders on privacy while releasing the company and executives from accountability for a broad array of potential misdeeds.
Slaughter said that given Facebook’s repeated violations, the FTC would have been more likely to change the company’s behavior by suing it and its CEO.