WASHINGTON -- Federal regulators have fined Facebook $5 billion for privacy violations and are instituting new oversight and restrictions on its business. But they are only holding CEO Mark Zuckerberg personally responsible in a limited fashion.
The fine is the largest the Federal Trade Commission has levied on a tech company, though it won't make much of a dent for a company that had nearly $56 billion in revenue last year. Two of the five commissioners opposed the settlement and said they would have preferred litigation to seek tougher penalties. Privacy advocates worry the settlement will do little to force Facebook to rein in its data-collection practices.
As part of the agency's settlement with Facebook, Zuckerberg will have to personally certify his company's compliance with its privacy programs. The FTC said that false certifications could expose him to civil or criminal penalties.
Some experts had thought the FTC might fine Zuckerberg directly or seriously limit his authority over the company.
RELATED: Facebook's 'Libra' project met with resistance on Capitol Hill
Facebook isn't admitting any wrongdoing. The company's top lawyer, Colin Stretch, said the company's FTC settlement will lead to more rigorous management of user privacy - including more technical controls to better automate privacy safeguards.
FTC Chairman Joe Simons said the settlement is "unprecedented in the history of the FTC" and is designed "to change Facebook's entire privacy culture to decrease the likelihood of continued violations."
The FTC opened an investigation into Facebook last year after revelations that data mining firm Cambridge Analytica had gathered details on as many as 87 million Facebook users without their permission. The agency said Wednesday that following its yearlong investigation of the company, the Department of Justice will file a complaint alleging that Facebook "repeatedly used deceptive disclosures and settings to undermine users' privacy preferences."
The agency is also suing Cambridge Analytica over the privacy violations and has settled with its former CEO Alexander Nix and an outside researcher, Aleksandr Kogan, who developed the Facebook app that harvested people's personal information. Cambridge Analytica filed for bankruptcy and hasn't settled the allegations, but Kogan and Nix have agreed to restrictions on how they conduct business in the future. The settlement requires them to delete or destroy all personal information gathered.
Facebook will also pay a separate $100 million fine to the Securities and Exchange Commission to settle charges it made misleading disclosures about the risk of misuse of Facebook user data. The SEC said Facebook presented misuse of data as a hypothetical for two years even though it knew since 2015 that the third-party developer had actually misused user data.
RELATED: Facebook says doctored Nancy Pelosi video does not violate its policy
Stretch said Facebook's handling of the Cambridge Analytica affair was "a breach of trust between Facebook and the people who depend on us to protect their data."
Three Republican commissioners voted for the fine while two Democrats opposed it, a clear sign that the restrictions on Facebook don't go as far as critics and privacy advocates had hoped. That wish list included specific punishment for Zuckerberg, strict limits on what data Facebook can collect and possibly even breaking off subsidiaries such as WhatsApp and Instagram.
"The proposed settlement does little to change the business model or practices that led to the recidivism," Commissioner Rohit Chopra wrote in his dissenting statement. He noted that the settlement lacks "any restrictions on the company's mass surveillance or advertising tactics."
Ashkan Soltani, a former FTC chief technologist, said the settlement "amounts to essentially a get-out-of-jail free card for Facebook," by indemnifying the company from government prosecution for all claims prior to June 12.
Simons, the FTC's chairman, said in a news conference Wednesday that the agency has limited legal powers to enforce privacy rules. For stiffer penalties, he said, the agency would have faced long odds in drawn-out litigation.
Commissioner Noah Phillips, a Republican, said the purpose of the action isn't "to vindicate every concern that the world has about Facebook," but it sends important messages that the price of privacy violations is getting higher and "paying attention to privacy issues is something that companies ought to consider whether to elevate to the board level."
But despite the record fine and all the public flogging triggered by the Cambridge Analytica scandal, Facebook is worth more than it was before the blowback began. The company's stock had slipped by less than 1% to $201.51 in Wednesday's midday trading, a few hours after the settlement announcement. The company's market value was hovering around $575 billion - roughly $40 billion above where it stood before the news of the Cambridge abuses broke. Those gains make the $5 billion fine easier to swallow for Facebook and its shareholders.
The FTC had been examining whether that massive breakdown violated a settlement that Facebook reached in 2012 after government regulators concluded the company repeatedly broke its privacy promises to users. That settlement had required that Facebook get user consent to share personal data in ways that override their privacy settings.
The FTC said Facebook's deceptive disclosures about privacy settings allowed it to share users' personal information with third-party apps that their friends downloaded but the users themselves did not give permissions to.
The agency also found that Facebook misrepresented the extent to which users could decline, or opt out of, facial recognition technology used to identify people in pictures and videos and that it failed to disclose that phone numbers collected for a security feature known as two-factor authentication could also be used for targeted advertising.
Privacy advocates have pushed for the FTC to limit how Facebook can track users - something that would likely cut into its advertising revenue, which relies on businesses being able to show users targeted ads based on their interests and behavior. The FTC did not specify such restrictions on Facebook.
The fine is well above the agency's previous record for privacy violations - $22.5 million - which it dealt to Google in 2012 for bypassing the privacy controls in Apple's Safari browser. There have been even larger fines against non-tech companies, including a $14.7 billion penalty against Volkswagen to settle allegations of cheating on emissions tests and deceiving customers. Equifax will pay at least $700 million to settle lawsuits and investigations over a 2017 data breach; the FTC was one of the parties. The money will likely go to the U.S. Treasury.
The FTC's new 20-year settlement with Facebook establishes an "independent privacy committee" of Facebook directors. The committee's members must be independent, will be appointed by an independent nominating committee and can only be fired by a "supermajority" of Facebook's board of directors. The idea is to remove "unfettered control" by Zuckerberg, the FTC said.
Since the Cambridge Analytica debacle erupted more than a year ago, Facebook has vowed to do a better job corralling its users' data. Nevertheless, other missteps have come up since then.
In December, for example, the Menlo Park, California, company acknowledged a software flaw had exposed the photos of about 7 million users to a wider audience than they had intended. It also acknowledged giving big tech companies like Amazon and Yahoo extensive access to users' personal data, in effect exempting them from its usual privacy rules. And it collected call and text logs from phones running Google's Android system in 2015.
Amid all that, Zuckerberg and his chief lieutenant, Sheryl Sandberg, apologized repeatedly. In March, Zuckerberg unveiled a new, "privacy-focused" vision for the social network that emphasizes private messaging and groups based on users' interests.
The fine does not spell closure for Facebook, although the company's investors - and executives - have been eager to put it behind them. Facebook is still under various investigations in the U.S. and elsewhere in the world, including the European Union, Germany and Canada. There are also broader antitrust concerns that have been the subject of congressional hearings and led the Justice Department this week to announce that it has opened an investigation into major tech companies.
AT A GLANCE: Here's a look at the key elements of the settlement, in which Facebook does not admit to any wrongdoing.
-- Facebook will pay $5 billion, about 9% of its revenue last year, to federal authorities.
NEW PRIVACY REQUIREMENTS
-- Facebook will have to more closely police how third-party developers use its platforms and ensure it no longer allows preferential partners to access data on unwitting Facebook users. Sony and Microsoft were still doing so until Wednesday.
-- Facebook must provide "clear and conspicuous" notice on how it is using facial recognition technology, and must obtain "affirmative consent" from users if it expands the use of facial recognition beyond what it has previously disclosed.
-- Facebook is forbidden to use telephone numbers provided for account security - for instance, ones used to help verify user logins - for advertising.
-- Facebook is prohibited from asking for email addresses to other services when users sign up for its services.
-- Facebook must encrypt passwords and has to scan regularly for any stored in plain text, which makes them vulnerable to hackers.
-- Facebook must establish a comprehensive data security program.
-- Facebook will have to create a new board committee focused on data privacy. The members of the "privacy committee" must be independent and cannot be removed by founder and CEO Mark Zuckerberg. They will regularly brief Facebook management.
-- CEO Mark Zuckerberg and compliance officers will have to submit quarterly reports that the company is meeting its privacy commitments. Zuckerberg could face civil and criminal liabilities if his certifications are false. He is not named personally as a defendant in the settlement, however, and still retains some powers over the board.
-- Outside monitors, including the Federal Trade Commission and an independent "assessor," will have access to information on Facebook's privacy decisions. The assessor will meet quarterly with the privacy committee, both with and without the presence of Facebook management. The assessor will evaluate Facebook's data privacy program and submit the findings to the FTC every two years.
-- Facebook management will brief the privacy committee every quarter and the committee will propose fixes to any issues that come up.
-- Facebook will assess data privacy risks of each new product before it is launched. Its conclusions will be included in the quarterly privacy review reports.
-- The company must document when the data of 500 or more users has been compromised and notify authorities within 30 days. It must provide reports every 30 days until the incident is fully investigated or resolved.
See more stories on Facebook.
Facebook fined $5 billion as FTC adds oversight for privacy violations
More TOP STORIES News