Facebook has agreed to pay $5.1 billion in fines to the FTC and SEC over charges that it deceived users over privacy controls, and mislead investors over risks of user data misuse.
Facebook will pay a record $5 billion penalty to the FTC and will submit to new restrictions and a modified corporate structure intended to hold it accountable for the decisions it makes about its users’ privacy. The FTC charged the social media giant with violating a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information.
The FTC said the penalty is the largest ever imposed on any company for violating consumers’ privacy and is nearly 20 times larger than the next biggest privacy or data security penalty imposed anywhere. Nevertheless, it’s a relative drop in the bucket for the social media giant, which took in $16.9 billion in revenue during the second quarter of 2019 alone.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons in a statement. “The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
According to the FTC, more than 185 million people in the US and Canada use Facebook daily. It said Facebook monetizes user information through targeted advertising, which generated $55.8 billion in revenue last year.
The penalty followed a yearlong investigation by the FTC, which said Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences, allowing the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook friends. The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.
In addition, the FTC alleges that Facebook took inadequate steps to deal with apps that it knew were violating its platform policies.
The 20-year settlement requires Facebook to exercise greater oversight over third-party apps, including terminating application developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data. Facebook is also prohibited from using telephone numbers obtained to enable a security feature for advertising. Additionally, Facebook must:
- Provide clear and conspicuous notice of its use of facial recognition technology and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users
- Establish, implement, and maintain a comprehensive data security program
- Encrypt user passwords and regularly scan to detect whether any passwords are stored in plain text
- Refrain from asking for email passwords to other services when consumers sign up for its services
Meanwhile, the SEC said Facebook agreed to pay $100 million to settle charges that it made misleading disclosures regarding the risk of misuse of Facebook user data. The SEC said that for more than two years, Facebook’s public disclosures presented the risk of misuse of user data as merely hypothetical when the company knew a third-party developer had actually misused Facebook user data.
According to the SEC’s complaint, in 2014 and 2015, the now-defunct advertising and data analytics company Cambridge Analytica paid an academic researcher to collect and transfer data from Facebook to create personality scores for approximately 30 million Americans. The researcher also violated Facebook’s policies by transferring to Cambridge Analytica the underlying Facebook user data, including names, genders, locations, birthdays, and page likes, which Cambridge Analytica used in connection with its political advertising activities.
The SEC’s complaint alleges that Facebook discovered the misuse of its users’ information in 2015, but did nothing to correct its existing disclosure for more than two years. The regulator said Facebook continued to tell investors that users’ data “may” be improperly accessed, used, or disclosed when they knew for a fact it actually was.
The complaint said Facebook reinforced the false impression that there had been no data breach when it told reporters investigating Cambridge Analytica’s use of Facebook user data that the company had discovered no evidence of wrongdoing. The complaint also alleges that during the two-year period, Facebook had no specific policies or procedures in place to assess the results of their investigation for the purposes of making accurate disclosures in its public filings.
“We allege that Facebook exacerbated its disclosure failures when it misled reporters who asked the company about its investigation into Cambridge Analytica,” said Erin Schneider, director of the SEC’s San Francisco Regional Office. “This gave further weight to Facebook’s misleading statements in its public filings.”
Related Stories:
Treasurers Demand Zuckerberg Quit as Facebook ChairmanCalSTRS Takes a Hard Stance on Facebook’s Governance
Soros Rips Facebook, Google at Davos