Facebook has agreed to pay a $5 billion fine and improve privacy protections for its billions of users, but privacy experts say the settlement doesn't go far enough to rein in the social media giant.

As expected, the Federal Trade Commission finalized an agreement with Facebook to have the company pay the record fine and implement reforms after failing to keep consumer data safe, violating a 2011 settlement over previous privacy infractions.  

"It's significant money," says former FTC chair William E. Kovacic. "This is the first time that anyone has written a check for $5 billion to the U.S. government. But, arguably, the fine isn't the most important aspect of the settlement. By itself, it's probably not enough to change behavior." 

More on Facebook

The FTC says that even though Facebook agreed in 2011 to improve its business practices, the company misled consumers about the use of their personal information. For example, the agency said Facebook used phone numbers that users had provided for security purposes to target those users with advertisements.

Additionally, the FTC found, the company made it difficult for people to control facial recognition, despite Facebook's promises to roll out simple, uniform settings. This problem was uncovered by Consumer Reports in May and reported to the agency. (CR's investigation is cited in the FTC complaint.)

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” says FTC chair Joe Simons in a press release.

In addition to paying the fine, the FTC agreement calls for Facebook to: 

  • Establish an independent privacy committee within the company’s board of directors
  • Designate compliance officers, including CEO Mark Zuckerberg, to oversee Facebook’s privacy program
  • Cooperate with third-party oversight, requiring an outside auditor's biennial reports to “be based on the assessor’s independent fact-gathering, sampling, and testing, and [not] primarily on assertions or attestations by Facebook management.”
 

'Unfair and Deceptive' Claims

This latest agreement with Facebook doesn't go as far as consumer advocates were proposing. Notably, it doesn't restrict the company’s ability to collect consumer data.

“This settlement doesn’t place any new restrictions on how Facebook can collect or use data going forward," says Justin Brookman, director of consumer privacy and technology policy for Consumer Reports. "Layers of privacy bureaucracy aren’t going to matter if the law doesn’t require Facebook to change. Americans deserve long-overdue privacy protections to ensure that companies like Facebook treat our data fairly.”

The FTC has been investigating possible violations of the 2011 agreement for more than a year, ever since the Cambridge Analytica scandal broke in March 2018, when consumers learned that the personal data of 87 million Facebook users had been misused by a political consulting company. Those people had connections to just 270,000 people who had once participated in an online personality study.

Multiple privacy missteps by Facebook have been revealed since then. They include an October 2018 data breacha Facebook bug that let developers improperly download user photos, news that Facebook knowingly let children amass large credit card bills on the site, and recent federal charges against the company for alleged violations of the Fair Housing Act.

The first hint about the impending multibillion-dollar fine came in April, when Facebook, in a mandatory financial filing, suggested that the company would need to set aside between $3 billion and $5 billion to pay for the fine. 

The largest previous fine for a consumer privacy violation was a $22.5 million penalty imposed on Google in 2012. To put the $5 billion fine in perspective, Facebook's reported profits were $22.1 billion in 2018. 

How to Fix the Privacy Problem

While some advocates have been critical of the FTC, others say the blame lies with Congress, which has gradually weakened the FTC's powers while failing to enact effective, comprehensive privacy legislation.

"The FTC is not empowered to address Facebook's biggest problems," says CR's Brookman. "The FTC can only enforce a hundred-year-old general-purpose consumer protection statute prohibiting 'unfair or deceptive acts or practices.' Companies can typically avoid deception charges by simply not telling you what they’re doing—or only mentioning it in long and unreadable privacy policies."

The FTC's authority has actually been degraded since the 1980s, says Brookman, who was formerly the policy directory of the FTC's Office of Technology Research and Investigation. "The unfairness authority has been narrowed to only cover practices that are proven to cause consumers 'significant harm'—a difficult prospect where the effects of privacy violations are difficult to detect and quantify," he says.

A number of consumer advocacy organizations support national privacy legislation, often pointing as examples to the California Consumer Privacy Act, due to take effect in 2020, and Europe's General Data Protection Regulation, or GDPR.

“The FTC’s action is too little, too late," says Marc Rotenberg, president of the Electronic Privacy Information Center [EPIC]. "American consumers cannot wait another decade for the Commission to act against a company that violates their privacy rights. Congress should move quickly to establish a data protection agency."

Marta Tellado, president and CEO of Consumer Reports says, “As expected, the size of the settlement is historic, but these attempts to hold Facebook accountable are not enough to make a real difference. With a weak and under-resourced FTC, and a glaring need for far more comprehensive privacy laws, Congress must raise the standards for consumers and hold Big Tech accountable. Lawmakers have a responsibility to pass laws that offer real protections, giving consumers control of their data and the FTC the power it needs to rein in Big Tech.”