Facebook will pay a $5bn (£4bn) fine to settle privacy concerns, the US Federal Trade Commission (FTC) has announced.
The social network must also establish an independent privacy committee that Facebook’s chief executive Mark Zuckerberg will not have control over.
The FTC had been probing allegations political consultancy Cambridge Analytica improperly obtained the data of up to 87 million Facebook users.
The probe then widened to include other issues such as facial recognition.
What did Facebook do wrong?
The consumer protection agency the FTC began investigating Facebook in March 2018 after it was revealed that personal data was illegally harvested from an online personality quiz and sold to Cambridge Analytica, which may have used it to influence the outcome of the US 2016 presidential election or the UK Brexit referendum.
Although only 270,000 people took the quiz, whistleblower Christopher Wylie alleges that the data of some 50 million users, mainly in the US, was harvested without their explicit consent via their friend networks.
But Cambridge Analytica was not the only firm to have access to users’ personal data – the data was gathered using Facebook’s infrastructure at that time, and many other developers had taken advantage of it, but the data was not authorised for them to share with others.
Facebook was fined £500,000 by the UK’s data protection watchdog for its role in the Cambridge Analytica data scandal in October.
What did the US government say about the violations?
The FTC found that certain Facebook policies violated rules against deceptive practices, ruling that Facebook’s data policy was deceptive to people who used its facial recognition tool.
The social network also fell foul of the regulator by not revealing that phone numbers collected for two-factor authentication would be used for advertising.
FTC representatives from all US political parties voted the settlement deal through, despite concerns from Democrats that the fine was not big enough and that the settlement did not go far enough.
The $5bn fine is believed to be the biggest ever imposed on any company for violating consumers’ privacy. It is also almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.
What happened to Cambridge Analytica?
In May 2018, Cambridge Analytica filed for bankruptcy in the US, blaming a “siege of media coverage” for driving away customers and forcing its closure.
As part of a proposed settlement with the FTC, two of the defendants – former Cambridge Analytica chief executive Alexander Nix and app developer Aleksandr Kogan – have agreed to administrative orders restricting how they conduct any business in the future.
The pair are also required to delete or destroy any personal information they collected.
Since Cambridge Analytica filed for bankruptcy, it has not settled with the FTC’s allegations.
What does Facebook say it will do in the future?
In a post on Facebook, Mr Zuckerberg said that the firm would be making structural changes to how its products were built and how the company is run.
Privacy practices would now be headed by a new chief privacy officer for products.
“We have a responsibility to protect people’s privacy,” Mr Zuckerberg wrote.
He added that Facebook was reviewing technical systems to document possible privacy risks, and going forward, whenever the social network built a new product or that used data, or a feature changed the way it used data, possible privacy risks would need to be documented and mitigated.
These new practices would go far beyond what is currently required of tech firms under US law, he stressed.
“We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward,” he said.
“As we build our privacy-focused vision for the future of social networking that I outlined earlier this year, it’s critical we get this right.”
Is Facebook facing other investigations?
At the same time that the FTC made its announcement, the US Securities and Exchange Commission (SEC) announced charges against Facebook for making misleading disclosures regarding the risk of misuse of user data.
As a result, Facebook has agreed to pay $100m to settle the charges.
The SEC found that although Facebook discovered the misuse of its users’ information in 2015, it did not clarify this for two years, instead telling investors that users’ data “may” have been improperly accessed.
The social network also told the media that it had discovered no evidence of wrongdoing in Cambridge Analytica’s use of Facebook user data. Furthermore, Facebook did not have specific procedures in place to assess the results of their investigation in order to make accurate disclosures in Facebook’s public filings.
The US Department of Justice (DoJ) is also investigating leading online platforms to see whether they are unfairly restricting competition.
The DoJ did not name any firms, but companies such as Facebook, Google, Amazon and Apple are likely to be scrutinised in the wide-ranging probe.
It was sparked by “widespread concerns” about “search, social media, and some retail services online,” the DoJ said.
Facebook to pay $5bn to settle privacy concerns