12:48 PM, Jul 24, 2019 — Facebook (FB) will pay a record $5 billion fine and submit itself to new restrictions and a corporate structure that will hold the social-media giant accountable for users’ privacy, the Federal Trade Commission said Wednesday.
Separately, the Securities and Exchange Commission said the company will pay $100 million to settle its allegations that Facebook made misleading disclosures regarding the risk of misuse of users’ data.
The FTC said in a statement that its agreement with Facebook settled charges that the company “violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information.”
The $5 billion penalty is the largest ever imposed on a company for consumer-privacy violations and “almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide,” the FTC said.
The 20-year settlement order requires Facebook to establish an independent privacy committee of the company’s board of directors to remove “unfettered control” from Chief Executive Mark Zuckerberg over decisions concerning user privacy. The trade commission said members of the committee must be independent and be appointed by an independent nominating committee and can only be fired by a supermajority of the board of directors.
“Over all, these changes go beyond anything required under US law today,” Zuckerberg said in a Facebook post. “The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.”
Facebook will also designate compliance officers to oversee the privacy program, the FTC said, adding that they must be approved by the privacy committee and only that panel can remove them. Those officers and Zuckerberg will be required to independently submit quarterly compliance certifications to the FTC, on top of annual certification of Facebook’s compliance overall with the order, the agency said.
The company will be required to conduct a privacy review of every new or modified product, service, or practice ahead of implementation, according to the regulator, adding that Facebook is required to document when the data of more than 500 users has been compromised and its efforts to address those situations. The company must then deliver that documentation to the FTC within 30 days.
“Any false certification will subject them to individual civil and criminal penalties,” the FTC said.
The SEC said that “for more than two years, Facebook’s public disclosures presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data.”
According to the SEC, now-defunct advertising and data analytics company Cambridge Analytics paid an academic researcher “to collect and transfer data from Facebook to create personality scores for approximately 30 million Americans.” The commission said Cambridge Analytics then used the information for its political advertising efforts.
The SEC said Facebook discovered the misuse in 2015 but did not correct its disclosure for more than two years. Instead, the company told investors its “users’ data may be improperly accessed, used or disclosed,” the regulator said. In that period, Facebook didn’t have specific policies or procedures to assess the results of their investigation to make accurate disclosures in its public filings.
“Public companies must accurately describe the material risks to their business,” said Stephanie Avakian, co-director of the SEC’s Enforcement Division. “As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they know their user data has been in fact misused. Public companies must have procedures in place to make accurate disclosures about material business risks.”
Facebook neither admitted nor denied the SEC’s allegations, the regulator said.
Price: 201.60 Price Change: -0.76 Percent Change: -0.38