The deal is also unlikely to mollify critics in Congress and among privacy advocates who have called for accountability for Zuckerberg, fines that represent a greater share of the company’s revenue and the unwinding of Facebook’s acquisition of Instagram and WhatsApp.
The FTC probe stems from the March 2018 disclosure that Cambridge Analytica, a consulting firm hired by Donald Trump’s 2016 presidential campaign, improperly obtained data on tens of millions of Facebook users from a researcher who collected personal data through a third-party quiz app. The app not only collected its users’ data, but also information on their friends, affecting millions of consumers.
The Cambridge Analytica scandal dealt a blow to Facebook’s reputation at a time when the company was already under fire for allowing Russian agents to exploit its platform to try to influence the 2016 election. The company’s battered reputation caught up with it earlier this month, when lawmakers railed against Facebook’s plan to introduce a digital currency. Sherrod Brown of Ohio, the top Democrat on the Senate Banking Committee, called the company “dangerous.”
Facebook also resolved an ongoing investigation by the Securities and Exchange Commission Wednesday. The agency fined Facebook $100 million, claiming the company should have told investors more about the data abuse involved in Cambridge Analytica.
The FTC also announced separate settlements with the now-defunct political consulting firm, its former CEO Alexander Nix, and an app developer who worked with the company, Aleksandr Kogan.
The agency’s investigation went far beyond issues around Cambridge Analytica. The FTC alleged violations going back to 2012, the same year that Facebook finalized an earlier consent order over privacy lapses. Four months after that accord, the FTC said, Facebook removed a disclosure that information users shared with friends could get sucked up by the apps those friends used -- while allowing the practice to continue.
Facebook also announced in 2014 that it would stop letting outside app developers collect data of users’ friends, according to the FTC. However, the company told developers they could continue the practice for a year if their apps were already on the platform -- and failed to stop the sharing until mid-2018 or later. The company also often limited enforcement of its policies against third-party developers if they were making Facebook money, the FTC alleged.
Under the settlement, Facebook will have to report data compromises to the FTC if more than 500 users are affected, terminate apps that fail to certify their compliance with company policies and provide greater notice of its use of facial recognition. Facebook had misled users to think they could opt in to a facial recognition feature, even though it was turned on by default, the FTC said.
Compliance with the order will be managed by an independent committee on Facebook’s board of directors, which Zuckerberg will not appoint. Zuckerberg, and a designated compliance officer approved by the independent committee, must certify compliance both with the privacy program and the larger order. False certification will “subject them to individual civil and criminal penalties,” the FTC said.
Facebook spent months negotiating the settlement with the FTC, and any future potential violations would likely require similar deliberation and delay. That makes it a weaker burden on Facebook than Europe’s General Data Protection Regulation, which for small violations penalizes companies 10 million euros, or 2% of the violator’s worldwide annual revenue, whichever is higher.