Facebook has agreed to pay a record-breaking $5 billion fine to resolve a U.S. government probe into its privacy practices and the social media giant will restructure its approach to privacy.

The U.S. Federal Trade Commission said on Wednesday that it voted 3-2 along party lines to adopt the settlement, which requires court approval, even as Democrats said the settlement did not go far enough or require a large enough fine.

“Despite repeated promises to its billions of users worldwide that they could control how personal information is shared Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons, a Republican, in a statement.

The FTC has been investigating allegations Facebook inappropriately shared information belonging to 87 million users with the now-defunct British political consulting firm Cambridge Analytica.

The FTC said that Facebook’s data policy was deceptive to “tens of millions” of people who used Facebook’s facial recognition tool and also violated its rules against deceptive practices when it did not disclose phone numbers collected to enable a security feature would be used for advertising.

New Facebook Order Requirements

The FTC’s new 20-year settlement order overhauls the way the company makes privacy decisions by boosting the transparency of decision making and holding Facebook accountable via overlapping channels of compliance.

The order creates greater accountability at the board of directors level. It establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.

The order also improves accountability at the individual level. Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO or Facebook employees. Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.

The order also strengthens external oversight of Facebook. The order enhances the independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps. The assessor’s biennial assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management. The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order.

As part of Facebook’s order-mandated privacy program, which covers WhatsApp and Instagram, Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy. The designated compliance officers must generate a quarterly privacy review report, which they must share with the CEO and the independent assessor, as well as with the FTC upon request by the agency. The order also requires Facebook to document incidents when data of 500 or more users has been compromised and its efforts to address such an incident, and deliver this documentation to the Commission and the assessor within 30 days of the company’s discovery of the incident.

Additionally, the order imposes new privacy requirements, including the following:

• Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with
• Facebook’s platform policies or fail to justify their need for specific user data;
• Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
• Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
• Facebook must establish, implement, and maintain a comprehensive data security program;
• Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
• Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
  

"We have a responsibility to protect people's privacy. We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry," said Facebook CEO Mark Zuckerberg.

As part of this settlement, Facebook is bringing its privacy controls more in line with its financial controls under the Sarbanes-Oxley legislation. Facebook's executives, including Zuckerberg, will have to certify that all of the work they oversee meets Facebook's privacy commitments. "Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program. We've also asked one of our most experienced product leaders to take on the role of Chief Privacy Officer for Products," Zuckerberg added.

Going forward, when Facebook ships a new feature that uses data, or modify an existing feature to use data in new ways, the company will have to document any risks and the steps it is taking to mitigate them. "We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward," Zuckerberg said.

Just this month, and in response to the FTC investigation, Facebook said it discovered that shortcomings in its systems allowed some partners to continue accessing data to provide Facebook features on their products. "While we found no abuse, the new agreement will help ensure against such risks going forward. We will also be more diligent in how we monitor for abuse, and we’ll require developers to be accountable for the ways they use data and comply with our policies," said Facebook's Colin Stretch.

Facebook said it was ending access to friend data by Microsoft and Sony. The company said the data was related to using the social media site on an earlier generation PlayStation or to sync friends’ contact information with another service. “This was our mistake, and we are correcting it,” the company said.

Today, Facebook also resolved an ongoing investigation by the Securities and Exchange Commission. The SEC alleged that Facebook should have had better processes in place to ensure disclosure to investors of data abuse like what occurred with Cambridge Analytica. The SEC also alleged that, after Facebook learned in late 2015 that a developer had transferred data to Cambridge Analytica in violation of Facebook's policies, the social network should have said more about this abuse in its investor disclosures. As part of the settlement with the SEC, Facebook agreed to pay a $100 million penalty.

More than 185 million people in the United States and Canada use Facebook on a daily basis. Facebook monetizes user information through targeted advertising, which generated most of the company’s $55.8 billion in revenues in 2018. To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through Facebook’s privacy settings.

In a related, but separate development, the FTC also announced today separate law enforcement actions against data analytics company Cambridge Analytica, its former Chief Executive Officer Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, alleging they used false and deceptive tactics to harvest personal information from millions of Facebook users. Kogan and Nix have agreed to a settlement with the FTC that will restrict how they conduct any business in the future.