U.S. regulators have met to discuss imposing a record-setting fine against Facebook Inc. for violating a legally binding agreement with the government to protect the privacy of its users’ personal data, according to three people who are familiar with the deliberations but not authorized to speak on the record.
The fine under consideration at the Federal Trade Commission, which began investigating Facebook last year, would be the first major punishment levied against the social media giant in the United States since before reports emerged last March that the political consulting firm Cambridge Analytica had improperly accessed the personal information of about 87 million Facebook users.
In 2011, Facebook agreed to get user consent for certain changes to privacy settings as part of a settlement of federal charges that the company deceived consumers and forced them to share more personal information with third-party apps than they intended. That complaint arose after Facebook changed some user settings without notifying users, the FTC said at the time.
Last year’s Cambridge Analytica scandal revealed that in 2014 — three years after Facebook reached the settlement with the FTC — a psychology professor who developed a third-party quiz app was able to collect data from the nearly 300,000 people who downloaded his app, as well as from their Facebook friends, totaling some 87 million Facebook users. He then broke Facebook rules by sharing that information with Cambridge Analytica.
Facebook was lambasted for not doing more to prevent the data leak or alerting the affected users immediately after it was discovered.
The FTC’s exact findings in its Facebook investigation and the total amount of the fine, which the agency’s five commissioners have discussed at a private meeting in recent weeks, have not been finalized, two of the people said. Staffers have briefed the commissioners about their investigation, the third person said, and plan to issue a formal recommendation for a fine soon — a move that would then trigger a vote by the commissioners.
Facebook also has talked with FTC staffers about the investigation, one of the people familiar with the probe said, but it is unclear whether the company would settle with the FTC by accepting a significant financial penalty.
The penalty is expected to be much larger than the $22.5-million fine the FTC imposed on Google in 2012. That fine set a record for the largest penalty for violating an agreement with the FTC to improve privacy practices.
The FTC has been closed amid the partial shutdown of the federal government and could not be reached for comment. FTC Chairman Joseph Simons did not respond to a request for comment. Facebook declined to comment.
On Friday, privacy advocates strongly urged the FTC to take aggressive action against Facebook. “The agency now has the legal authority, the evidence, and the public support to act. There can be no excuse for further delay,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, which helped to bring about the FTC’s 2011 charges against Facebook.
The key question for the FTC is whether Facebook’s business practices — and the protections and privacy controls it afforded consumers — violated requirements spelled out in the 2011 consent decree.
The agreement requires Facebook to notify users, and get their permission, before data are shared with third parties in a way that differs from existing privacy settings. The legally binding order also mandates that Facebook obtain users’ affirmative permission before sharing their data with third parties, and it requires the tech giant to tell the FTC when others misuse that information. It also prohibits Facebook from making deceptive statements about its privacy practices.
Privacy advocates have alleged that Facebook violated the terms of that agreement repeatedly, as evidenced by its entanglement with Cambridge Analytica. The data firm, which had ties to the Trump presidential campaign, harnessed personal information about the social networking site’s users in order to better target voters with political messages.
That incident, brought to light by a former Cambridge Analytica employee, sparked an international backlash. Regulators around the world threatened to punish Facebook and rein in the data-collection practices of its Silicon Valley peers. U.S. lawmakers summoned Facebook Chief Executive Mark Zuckerberg to testify on Capitol Hill, where he apologized for the privacy violations.
Since the Cambridge Analytica investigation came to light, other privacy issues with Facebook have emerged — including details about its data-sharing agreements with smartphone and TV device makers, banks and other major businesses and a full roster of third-party apps. More federal fines could still follow as the FTC investigates those matters, two of the people familiar with the probe said.
The penalty would mark the toughest punishment to date levied on Facebook for mishandling its users’ data. Regulators in the United Kingdom assessed a roughly $640,000 fine that Facebook is appealing. The attorney general of the District of Columbia has mounted a lawsuit against the tech giant for its missteps.
The FTC has issued some large fines in recent years against companies that deceive consumers. In 2016, it required Volkswagen to spend more than $14 billion to settle charges related to its mishandling of emissions tests, for example. It also forced identity protection company LifeLock to pay $100 million for failing to secure its data; some of that money was returned to consumers.
Recommendations for fines made by FTC staffers, however, are not always adopted by the five-member commission. In a 2012 investigation against Google, agency staff concluded that the search giant had abused its monopoly power and issued a formal recommendation to the commissioners challenging Google’s practices. The commissioners voted unanimously to end the investigation after Google agreed to voluntarily change some of its practices — a move that led to widespread frustration among agency staff, one of the people said.