The Federal Trade Commission reportedly has reached a settlement agreement with Facebook, fining the company $5 billion dollars over violations of a 2011 consent decree in which the social media giant promised to improve privacy practices. The fine is by far the largest that the FTC has ever levied over the mishandling of consumer data. 

The settlement was first reported Friday afternoon by the Wall Street Journal, and details were scarce. The FTC and Facebook did not immediately respond to CR's requests for comment on any restrictions the agency is imposing on how Facebook collects, stores, uses, and shares consumer data.

In early May, news reports suggested that Facebook could face increased government oversight as part of a settlement. However, consumer advocacy groups, including Consumer Reports, warn that the FTC needs to do more than levying a fine to ensure that Facebook improves the way it handles its users' personal information.

More on Facebook and Privacy

“While the size of the settlement is historic, we don’t yet have all the details," says Marta Tellado, president and CEO of Consumer Reports. "Fines alone will not reform a market ruled by digital giants that can afford $5 billion simply as a cost of doing business. That's why we need to raise the standards for data privacy and hold Big Tech accountable to ensure protections are in place across the board.”

Facebook reported net income of $22.1 billion in 2018. 

"A large fine is necessary and appropriate, but it's not the only remedy" that's needed, says Emory Roane, policy counsel for the Privacy Rights Clearinghouse, a California-based advocacy group. "There’s no real indication that a fine is enough to make Facebook change their practices."

Roane's organization signed onto a letter earlier this year that urged the FTC to impose substantial fines, and require reforms at Facebook including compliance with a set of guidelines called the Fair Information Practices Principles, and improved hiring and management practices. "All we've got so far is a fine," Roane says. 

William E. Kovacic, the chair of the FTC from 2006 to 2011, notes that Facebook has already violated a previous agreement with the government. He says that it's up to Facebook to prove that it is overhauling its business practices. 

"Tell us what you’re going to do to ensure that this couldn't repeat itself later," says Kovacic, who currently teaches law at George Washington University. "That, plus writing a big check, would be a start at re-orienting the company’s compliance efforts."

A number of politicians are also saying that even a massive fine won't be enough to ensure consumers are protected.

“The FTC just gave Facebook a Christmas present five months early," House Antitrust Subcommittee Chairman David N. Cicilline wrote in a statement after the news broke. "It’s very disappointing that such an enormously powerful company that engaged in such serious misconduct is getting a slap on the wrist. This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data. If the FTC won’t protect consumers, Congress surely must." 

Facebook's Many Privacy Scandals

The FTC investigation began in spring 2018 after news came out that Cambridge Analytica, a political data firm that worked for the presidential campaigns of Ted Cruz and then Donald Trump, had acquired data on about 87 million Facebook users without their knowledge or consent. Those people had connections to just 270,000 people who had once participated in an online personality study.

And several additional privacy missteps by Facebook have been revealed since last spring. These include an October 2018 data breacha Facebook bug that let developers improperly download user photos, news that Facebook knowingly let children amass large credit card bills on the site, and recent federal charges against the company for alleged violations of the Fair Housing Act.

In a required report to the Securities and Exchange Commission this spring, Facebook said it was setting aside money to pay a potential multibillion-dollar fine.

A $5 billion fine would be the biggest ever imposed by the FTC in a digital privacy case, far higher than the $22.5 million levied against on Google in 2012

The 2011 consent decree that Facebook has allegedly violated was meant to correct "unfair and deceptive" claims to consumers about privacy protections. Facebook was barred from misrepresenting the privacy of consumer data and was required to provide users with more control over their data.

In addition, the company agreed to submit to third-party audits every two years for the following 20 years to ensure that the company was taking measures to protect consumer privacy.

Those audits apparently didn't work as intended. "The previous order failed," Kovacic, the former FTC chair, says. "The monitoring mechanism of turning oversight over to a third party turned out to not be effective."

Along with other privacy experts interviewed by Consumer Reports, he believes that regulators, and perhaps lawmakers, need to be more directly involved in overseeing consumer privacy protections.