Facebook just got clobbered with a record US$5 billion penalty over the Cambridge Analytica data breach

APFacebook CEO Mark Zuckerberg.
  • The Federal Trade Commission just slammed Facebook with a record $US5 billion penalty over its handling of user data following the giant Cambridge Analytica breach last year.
  • The FTC settlement also requires Facebook to make sweeping changes to its privacy practices and submit itself to more independent scrutiny than ever before.
  • Under the settlement, Facebook must establish a board-level independent privacy committee and designate “compliance officers,” who will be held accountable for the firm’s privacy standards.
  • Separately, the Department of Justice is suing Facebook over accusations the company “repeatedly used deceptive disclosures and settings to undermine users’ privacy.”
  • Visit Business Insider’s homepage for more stories.

The Federal Trade Commission on Wednesday announced it had slapped Facebook with a $US5 billion penalty over the company’s handling of user data, which came to light after the Cambridge Analytica scandal.

The settlement comes after the FTC accused Facebook of violating a 2012 agreement with the commission in which it promised not to hand over user data to third parties without consent.

It represents the biggest penalty the FTC has handed down to a technology company, with the regulator calling it “unprecedented.”

“The $US5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide,” the FTC said in a press statement.

Facebook must make sweeping changes to its privacy standards

As well as the penalty, a wider settlement requires Facebook to make sweeping changes to its privacy practices and submit itself to more independent scrutiny than ever before.

Facebook will be required to restructure its board of directors, mandating an independent privacy committee. The FTC said this committee would remove CEO Mark Zuckerberg’s “unfettered control” over user privacy and would be responsible for appointing “compliance officers” to Facebook’s privacy program. These officers will be held accountable for the firm’s privacy standards.

Members of the new committee must be appointed by an “independent nominating committee” and can be fired only by a “supermajority” of Facebook’s board of directors.

Ime ArchibongGettyFacebook’s vice president of product partnerships, Ime Archibong.

Facebook’s vice president of product partnerships, Ime Archibong,wrote in a blog post that the restructuring would mean a “fundamental shift in the way we work.”

“Under the new framework required by the FTC, we’ll be accountable and transparent about fixing old products that don’t work the way they should and building new products to a higher standard,” Archibong wrote.

The FTC also included a list of six new privacy requirements it’s imposing on Facebook. These are:

  • Increased oversight of third-party apps.
  • A ban on taking users’ phone numbers for security purposes and then using them for advertising (which it admitted to doing last year).
  • Clearly alerting users and getting affirmative consent before using facial recognition.
  • Establishing and maintaining a new and comprehensive data-security program.
  • Encrypting user passwords and regularly scanning to see whether any passwords are being kept in vulnerable, plain-text format (as was discovered in March of this year).
  • A ban on asking for email passwords to other services when users sign up to Facebook.

In a post on Facebook, Zuckerberg said the company had asked one of its “most experienced product leaders” to take on a new role as chief privacy officer for products. He did not name the person.

“Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we’re taking to mitigate them,” Zuckerberg said. “We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward.”

Read more: Facebook gets slammed by new lawsuit from DOJ accusing it of failing to protect your privacy

Facebook expected a large fine, saying in April in its first-quarter earnings report that it had set aside $US3 billion to $US5 billion in anticipation. The company was due to give its second-quarter earnings report later Wednesday.

The FTC fine landed amid a flurry of regulatory activity. Less than an hour after the FTC announced the penalty, the Securities and Exchange Commission fined Facebook $US100 million in a settlement over accusations the company misled investors in the wake of Cambridge Analytica. On Tuesday, a day earlier, the Department of Justice announced a sweeping antitrust investigation into unnamed US tech giants.

Two members of the FTC, Rohit Chopra and Rebecca Kelly Slaughter, felt the penalty was not harsh enough. “While it is difficult in this case to quantify the economic value of the violations to the company, there is good reason to believe $US5 billion is a substantial undervaluation,” Slaughter wrote in a statement to CNBC.

DOJ suing Facebook

Separately, the FTC said the Department of Justice was suing Facebook over accusations the company “repeatedly used deceptive disclosures and settings to undermine users’ privacy.” The lawsuit alleges that Facebook broke its 2012 privacy pact with the FTC after it:

  • Failed to properly screen third-party apps before granting them access to treasure troves of user data.
  • “Misrepresented” users’ ability to control the use of facial-recognition technology.
  • Collected mobile phone numbers for security purposes but did not tell users it would use the information to target advertising.

FTC settles with Cambridge Analytica’s former CEO

The FTC simultaneously announced it was suing the now-defunct Cambridge Analytica and had reached settlements with its disgraced former CEO Alexander Nix and the app developer Aleksandr Kogan, whose “This Is Your Digital Life” app scraped the user data then used by Cambridge Analytica.

The pair have “agreed to administrative orders restricting how they conduct any business in the future, and requiring them to delete or destroy any personal information they collected,” according to the FTC.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.