WASHINGTON (CBSNewYork/AP) — Federal regulators have fined Facebook $5 billion for privacy violations and are instituting new oversight and restrictions on its business. But they are only holding CEO Mark Zuckerberg personally responsible in a limited fashion.
The fine is the largest the Federal Trade Commission has levied on a tech company, though it won’t make much of a dent for a company that had nearly $56 billion in revenue last year.
As part of the agency’s settlement with Facebook, Zuckerberg will have to personally certify his company’s compliance with its privacy programs. The FTC said that false certifications could expose him to civil or criminal penalties.
Some experts had thought the FTC might fine Zuckerberg directly or seriously limit his authority over the company.
“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” Joe Simons, the chairman of the FTC, said in a statement. He added that the new restrictions are designed “to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”
Facebook does not admit any wrongdoing as part of the settlement.
Two of the five commissioners opposed the settlement and said they would have preferred litigation to seek tougher penalties.
The commission opened an investigation into Facebook last year after revelations that data mining firm Cambridge Analytica had gathered details on as many as 87 million Facebook users without their permission. The agency said Wednesday that following its yearlong investigation of the company, the Department of Justice will file a complaint alleging that Facebook “repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences.”
DiNapoli, writing in his capacity as trustee of the state retirement fund, said he will vote against the nominees for Facebook’s board of directors at next year’s annual investor meeting unless the company agrees to a series of changes, such as the selection of an independent chairman who has no material interest in the company.
The retirement fund currently holds more than $1 billion in Facebook shares, making DiNapoli an important voice among shareholders.
Zuckerberg has led the board since 2012. Facebook has not responded to DiNapoli’s comments.
In March, Facebook admitted it left hundreds of millions of user passwords readable by its employees for years after a security researcher exposed the lapse.
Late last year, Facebook faced another round of allegations that the company violated users’ privacy on a much larger scale than previously disclosed.
A New York Times report details how Facebook allegedly gave some of its partners a wide range of access to data from its 2.5 billion users for years and never told anyone.
The FTC had been examining whether that massive breakdown violated a settlement that Facebook reached in 2012 after government regulators concluded the company repeatedly broke its privacy promises to users. That settlement had required that Facebook get user consent to share personal data in ways that override their privacy settings.
The FTC said Facebook’s deceptive disclosures about privacy settings allowed it to share users’ personal information with third-party apps that their friends downloaded but the users themselves did not give permissions to.
Privacy advocates have pushed for the FTC to limit how Facebook can track users — something that would likely cut into its advertising revenue, which relies on businesses being able to show users targeted ads based on their interests and behavior. The FTC did not specify such restrictions on Facebook.
Three Republican commissioners voted for the fine while two Democrats opposed it, a clear sign that the restrictions on Facebook don’t go as far as critics and privacy advocates had hoped. That wish list included specific punishment for Zuckerberg, strict limits on what data Facebook can collect and possibly even breaking off subsidiaries such as WhatsApp and Instagram.
“The proposed settlement does little to change the business model or practices that led to the recidivism,” wrote Commissioner Rohit Chopra in his dissenting statement. He noted that the settlement imposes “no meaningful changes” to the company’s structure or business model. “Nor does it include any restrictions on the company’s mass surveillance or advertising tactics,” he wrote
The fine is well above the agency’s previous record for privacy violations — $22.5 million — which it dealt to Google in 2012 for bypassing the privacy controls in Apple’s Safari browser. There have been even larger fines against non-tech companies, including a $14.7 billion penalty against Volkswagen to settle allegations of cheating on emissions tests and deceiving customers. Equifax will pay at least $700 million to settle lawsuits and investigations over a 2017 data breach; the FTC was one of the parties. The money will likely go to the U.S. Treasury.
The FTC’s new 20-year settlement with Facebook establishes an “independent privacy committee” of Facebook directors. The committee’s members must be independent, will be appointed by an independent nominating committee and can only be fired by a “supermajority” of Facebook’s board of directors. The idea is to remove “unfettered control” by Zuckerberg, the FTC said.
Since the Cambridge Analytica debacle erupted more than a year ago, Facebook has vowed to do a better job corralling its users’ data. Nevertheless, other missteps have come up since then.
In December, for example, the Menlo Park, California, company acknowledged a software flaw had exposed the photos of about 7 million users to a wider audience than they had intended. It also acknowledged giving big tech companies like Amazon and Yahoo extensive access to users’ personal data, in effect exempting them from its usual privacy rules. And it collected call and text logs from phones running Google’s Android system in 2015.
Amid all that, Zuckerberg and his chief lieutenant, Sheryl Sandberg, apologized repeatedly. In March, Zuckerberg unveiled a new, “privacy-focused” vision for the social network that emphasizes private messaging and groups based on users’ interests.
But critics and privacy advocates are not convinced that either a fine or Facebook’s new model amounts to a substantial change.
If the company’s business practices don’t change as result of the FTC’s action, “there is no benefit to consumers,” said Marc Rotenberg, the president and executive director of the Washington-based nonprofit Electronic Privacy Information Center.
“The eight-year delay won’t be justified,” he said, referring to when Facebook first told the FTC it would do better.
The fine does not spell closure for Facebook, although the company’s investors — and executives — have been eager to put it behind them. Facebook is still under various investigations in the U.S. and elsewhere in the world, including the European Union, Germany and Canada. There are also broader antitrust concerns that have been the subject of congressional hearings, though it is too early to see if those will come to fruition.
Matt Stoller, a fellow at the Open Markets Institute, which has been critical of Facebook, said the company should admit wrongdoing.
“There should be structural solutions to force competition into the social networking market,” he added. “One of the angles for competition is privacy. They will compete to make a safer space to retain their user base.”
“After months of negotiations, we’ve reached an agreement with the Federal Trade Commission that provides a comprehensive new framework for protecting people’s privacy and the information they give us.
“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.
“The accountability required by this agreement surpasses current US law and we hope will be a model for the industry. It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements. Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working — and that we find and fix them when they are not.”
To read the rest of the statement, see Facebook’s web site.
(© Copyright 2019 CBS Broadcasting Inc. All Rights Reserved. The Associated Press contributed to this report.)