The Federal Trade Commission has confirmed its $5 billion fine against Facebook stemming from the Cambridge Analytica debacle and, at the same time, filed suit against Cambridge Analytica and settled with a former top executive of the company and an app developer.
The commission concluded that Facebook had "repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order" and "took inadequate steps to deal with apps that it knew were violating its platform policies."
The FTC billed the Facebook complaint and settlement as containing "sweeping new privacy restrictions" on the company and a "modified corporate structure."
The Department of Justice issued a release on the Facebook settlement as well, pointing out it was a product of both agencies.
That comprises a 20-year settlement period in which Facebook will "overhaul" the way it makes privacy decisions by "by boosting the transparency of decision making and holding Facebook accountable via overlapping channels of compliance.
Zuckerberg, appropriately, commented on the settlement in a Facebook post, saying: "We have a responsibility to protect people's privacy. We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry.
Facebook will establish an "independent privacy committee" on its board, "removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy."
Zuckerberg will have to certify that Facebook is in compliance with privacy protections, and face personal civil and criminal liability if it is not.
In addition, said the FTC:
"Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
"Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
"Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
"Facebook must establish, implement, and maintain a comprehensive data security program;
"Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plain text; and
"Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services."
The injunctive relief the FTC secured applies to both WhatsApp and Instagram.
The $5 billion is the biggest-ever fine for privacy violations, 20 times larger than number two, the FTC pointed out.
After it became clear a fine of up to $5 billion would be coming--Facebook let the cat out of the bag in a financial statement--critics have said the fine was too small given the size of the social media giant. The FTC was clearly trying to signal that was not the case. "It is one of the largest penalties ever assessed by the U.S. government for any violation," the FTC said.
"The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight," it said.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC chairman Joe Simons in a statement. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
Separately, the FTC said it would be suing Cambridge Analytica, its former CEO Alexander Nix and app developer Aleksandr Kogan, alleging "they used false and deceptive tactics to harvest personal information from millions of Facebook users." Kogan and Nix have settled with the FTC, while Cambridge Analytica has not.
The FTC vote for the settlement was 3 to 2, with the Democrats dissenting, arguing the settlement "does little to change the business model or practices" of the company, as Commissioner Rohit Chopra put it in his dissent.
Democratic Commissioner Rebecca Kelly Slaughter said that, as historic as the fine was, she did not believe it would "effectively deter Facebook from engaging in future law violations and send the message that order violations are not worth the risk."
She wanted to see Zuckerberg in Court. "Rather than accepting this settlement, I believe we should have initiated litigation against Facebook and its CEO Mark Zuckerberg," she said, rather than settle. "The Commission would better serve the public interest and be more likely to effectively change Facebook by fighting for the right outcome in a public court of law."