Facebook to Pay Over $5 Billion Following FTC, SEC Settlements

An agreement with the Federal Trade Commission (FTC) requires Facebook to pay a $5 billion penalty, to implement a new privacy and information protection framework, and to provide the FTC with new monitoring tools after an investigation launched following the Cambridge Analytica events.

The settlement is designed to resolve charges alleging that the company violated an FTC consent order from 2012 "by deceiving users about their ability to control the privacy of their personal information."

This is the largest ever consumer privacy violation penalty paid by a company and among the largest ones ever imposed by the U.S. Government for any type of violation.

"Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices," stated FTC Chairman Joe Simons. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC."

"The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law."

Highest penalties


Facebook is also required under the settlement's terms to build a multilayered compliance system comprised of an independent privacy committee, compliance officers, and a third-party assessor working in conjunction with the CEO to prevent future events where users are deceived about privacy measures.

Quarterly certifications will be submitted by the compliance officers and Facebook's CEO to the FTC to show that the company is still complying with the privacy framework imposed by the new FTC order.

The independent third-party assessor will detect any gaps in the company's order-mandated privacy program [PDF] which it will directly report on a quarterly basis to the new privacy committee, independent of Facebook’s board of directors, with members removable only by a board supermajority.

Facebook also has to "conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy" per the privacy order.


The company will also have to document, record, and share all events impacting the data of more than 500 users with the new privacy commission and the independent assessor within 30 days after the incident was discovered.

Supplementary privacy obligations also require that:

  • Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
  • Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
  • Facebook must establish, implement, and maintain a comprehensive data security program;
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
  • Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

"The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company," said Facebook in a blog post. "It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past."

Also, as detailed by Ime Archibong, Facebook's VP of Product Partnerships, the company also terminated access to collected user data for two of its partners, Microsoft and Sony, which were still using "old code supporting known experiences for people, such as being able to use Facebook on an earlier generation PlayStation (PS3 or Vita) or to sync their friends’ contact information with another service."

"Based on our previous commitments, we are ending these partners’ access to friend data immediately. This was our mistake, and we are correcting it," added Archibong.

$100 million SEC settlement

Another settlement was agreed upon with the Securities and Exchange Commission (SEC) to resolve an investigation on Facebook's failure to include more info regarding the Cambridge Analytica incident with its investor disclosures.

As part of this second settlement with the SEC, Facebook will have to pay an extra $100 million penalty "for making misleading disclosures regarding the risk of misuse of Facebook user data", on top of the $5 billion it agreed to pay to the Treasurer of the United States as part of the FTC settlement.

“We allege that Facebook exacerbated its disclosure failures when it misled reporters who asked the company about its investigation into Cambridge Analytica,” said Erin E. Schneider, Director of the SEC’s San Francisco Regional Office.  “This gave further weight to Facebook’s misleading statements in its public filings.”

Related Articles:

Mozilla Firefox Adding a New Social Tracking Protection Feature

540 Million Facebook Records Leaked by Public Amazon S3 Buckets

D-Link Settles FTC Lawsuit, Promises to Enhance Device Security

Android Horror Game Steals Google, Facebook Credentials and Data

Tech Art Piece Delivers Quick Fix For Social Following Hoarders