FTC fines Facebook $5 billion over Cambridge Analytica scandal

The company must also appoint an independent privacy committee to its board of its directors.

  • The FTC said Facebook violated a 2012 agreement it made with the agency over user data.
  • Facebook must restructure its board of directors, undergo regular privacy audits and pay a $5 billion fine.
  • Still, some say the punishment doesn't go far enough.


The Federal Trade Commission (FTC) has ordered Facebook to create new layers of oversight on how it handles user data, and to pay a $5 billion fine, according to an agreement announced Wednesday between the company and the federal agency.

The punishment results from an FTC investigation into Facebook that was prompted after news broke of the 2018 Cambridge Analytica scandal. Cambridge Analytica was a British consulting firm that used a third-party app to harvest personal data from approximately 87 million Facebook users.

By letting this third-party app collect users' data without their clear knowledge and consent, the FTC said Facebook violated a 2012 settlement order it had reached with the social media company.

Under the new agreement, Facebook must add an independent privacy committee to its board of directors, which the FTC wrote will remove "unfettered control by Facebook's CEO Mark Zuckerberg over decisions affecting user privacy." This new committee will be charged with appointing "compliance officers" who can be held accountable if the company mishandles users' data. Facebook must also submit to regular privacy audits.

"The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers' privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide," said FTC officials in a press statement.

But some think the punishment is merely a slap on the wrist. The FTC's sole two Democratic commissioners disagreed with their three Republican colleagues over the new settlement, which stopped short of holding Zuckerberg personally accountable for mishandling user data, and also granted immunity to Facebook executives for actions taken before June 12, 2019.

"I fear it leaves the American public vulnerable," Rebecca Kelly Slaughter, a Democratic commissioner, told The New York Times.

"While it is difficult in this case to quantify the economic value of the violations to the company, there is good reason to believe $5 billion is a substantial undervaluation," Slaughter wrote in a statement to CNBC.

Facebook said the new agreement represents a "fundamental shift" in their approach to user privacy.

"It will mark a sharper turn toward privacy, on a different scale than anything we've done in the past," Facebook staff wrote in a blog post. "We will be more robust in ensuring that we identify, assess, and mitigate privacy risk. We will adopt new approaches to more thoroughly document the decisions we make and monitor their impact. And we will introduce more technical controls to better automate privacy safeguards."

The FTC also ordered Facebook to implement several other new privacy requirements:

  • Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook's platform policies or fail to justify their need for specific user data;
  • Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
  • Facebook must establish, implement, and maintain a comprehensive data security program;
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
  • Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

Facebook was also fined $100 million on Wednesday by the Securities and Exchange Commission for misleading investors after the Cambridge Analytica story broke. Facebook also faces a separate lawsuit from the Department of Justice over claims that the company "repeatedly used deceptive disclosures and settings to undermine users' privacy."

It's unclear whether the new penalty will actually force Facebook to "fundamentally shift" how it handles user privacy. But, at least according to the FTC's three Republican commissioners, it didn't seem reasonable, legally speaking, to push for harsher punishments at this time.

"Is the relief we would obtain through this settlement equal to or better than what we could reasonably obtain through litigation?" they told The New York Times. "If the answer had been 'no,' it would have made sense to aggressively move forward in court. The answer, however, was 'yes.'"

Scroll down to load more…