Facebook lost control of our data. Now it's paying a record $5 billion fine

It turns out the company will pay a price after all for its endless scandals. But don't worry, Facebook made $22 billion last year.

Ian Sherr Contributor and Former Editor at Large / News
Ian Sherr (he/him/his) grew up in the San Francisco Bay Area, so he's always had a connection to the tech world. As an editor at large at CNET, he wrote about Apple, Microsoft, VR, video games and internet troubles. Aside from writing, he tinkers with tech at home, is a longtime fencer -- the kind with swords -- and began woodworking during the pandemic.
Ian Sherr
5 min read

Governments around the world are figuring out how they want to punish Facebook for its privacy screwups.

Getty Images

Facebook is notching a record breaker. The Federal Trade Commission on Wednesday announced that Facebook agreed to pay a $5 billion fine over privacy violations and its failure to inform tens of millions of users about a data leak that happened years ago. The fine is the largest the US regulator has levied against a tech company.

The settlement will require Facebook CEO Mark Zuckerberg, as well as other designated compliance officers, to certify that the company is taking steps to protect user privacy. A false statement could potentially expose them to penalties. The order also removes some of Zuckerberg's control over privacy decisions by creating an independent privacy committee of the company's board of directors. 

"Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers' choices," said FTC Chairman Joe Simons in a release. "The relief is designed not only to punish future violations but, more importantly, to change Facebook's entire privacy culture to decrease the likelihood of continued violations."

The multibillion-dollar fine -- which is in addition to a $100 million settlement with the US Securities Exchange Commission -- marks the first significant punishment Facebook has received for the storm of privacy and security scandals that have engulfed the company for more than a year. The issues, which range from the spread of fake news to improperly secured personal data, have prompted governments around the world to consider regulating social networks.

Facebook CEO Mark Zuckerberg said in a statement Wednesday that the social network would make "major structural changes" to how it builds products and conducts business.

"We have a responsibility to protect people's privacy," Zuckerberg wrote. "We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry."

Watch this: Facebook FTC settlement puts Zuck personally on the hook

The FTC settlement could mark a turning point in how governments treat social networks like Facebook, Twitter, Instagram and YouTube for bad behavior. Over the years, harassers, trolls and propagandists have taken advantage of the sites, which often don't strictly enforce their own rules. That's created increasingly toxic environments in which personal attacks, hatred and fake news spread. It's also allowed the sites to be exploited by governments, such as Russia's illegal influence in the 2016 US presidential election.

Though the US is just starting its efforts to rein in tech, the European Union and the UK are ramping up privacy protections for their citizens. The EU has begun enforcing the General Data Protection Regulation (GDPR), a sweeping law that requires companies to give people control over their data and to quickly inform them if data is mishandled. The UK, meanwhile, is considering new regulatory roles in government to safeguard internet users' interests and punish companies that don't. But none of them has yet taken on Facebook directly.

The settlement follows months of negotiations after the FTC claimed Facebook had violated a 2011 agreement to protect user privacy after breaking promises to users that it would do so. In April, Facebook telegraphed that a deal was in the works by telling investors it was prepared to pay as much as $5 billion related to the FTC investigation. That's significantly higher than the previous record, set when Google paid $22.5 million in a 2012 FTC settlement over tracking users.

At one point in negotiations with Facebook, the FTC considered a higher fine, according to reporting from the Washington Post. There was also debate about whether to make Zuckerberg personally accountable for the company's privacy screwups.

"If the FTC is seen as traffic police handing out speeding tickets to companies profiting off breaking the law, then Facebook and others will continue to push the boundaries," wrote Democratic Sen. Richard Blumenthal of Connecticut and Sen. Josh Hawley, a Missouri Republican, in a May letter to the FTC.

In response to the FTC settlement, Facebook on Wednesday said it's made large strides on privacy but more changes are in store.

"We will be more robust in ensuring that we identify, assess and mitigate privacy risk," wrote Facebook's Colin Stretch in a blog post. "We will adopt new approaches to more thoroughly document the decisions we make and monitor their impact. And we will introduce more technical controls to better automate privacy safeguards."

The settlement also imposes other privacy requirements, including greater oversight over third-party apps and "clear and conspicuous notice" of its use of facial recognition. Facebook must also encrypt user passwords and regularly check for any passwords stored in plain text. In addition, the order prohibits the social network from using phone numbers it obtained to enable two-factor authentication for advertising and from "asking for email passwords to other services when consumers sign up for its services."

The US Department of Justice, which worked with the FTC, said it's committed to making sure Facebook and other social media companies don't mislead consumers about their personal information. 

"This settlement's historic penalty and compliance terms will benefit American consumers, and the Department expects Facebook to treat its privacy obligations with the utmost seriousness," said Jody Hunt, assistant attorney general for the DOJ's Civil Division, in a release.

The FTC fine stems from Facebook's inability to control the data of as many as 87 million of its users. That info ended up in the hands of Cambridge Analytica, a political consultancy. The organization has been accused of using data gleaned from Facebook users to influence political campaigns, including the Brexit vote and the 2016 presidential campaign that led to the election of Donald Trump.

Also on Wednesday, the Securities and Exchange Commission announced it'll fine Facebook $100 million as part of a settlement tied to a probe into the social network's handling of users' data. The investor protection agency alleged that Facebook's public disclosures didn't offer sufficient warning that developers and other third parties may, in obtaining user data, have violated the social network's policies or failed to gain user permission. 

Originally published July 24 at 5:45 a.m. PT.
Update at 6:24 a.m. PT: Adds statement by Mark Zuckerberg. 7:09 a.m. PT: Adds more details on the settlement and the statement by Jody Hunt.

Watch our video on how to delete or disable your Facebook account: We walk you step-by-step on saving your data and removing your account.