The Federal Trade Commission is looking at Facebook's privacy practices following its data scandal. Separately, 37 state attorneys general demand answers too.
Facebook's Cambridge Analytica problems could cost it $40,000 a day in penalties. That's $40,000 every day since Nov. 29, 2011 -- when Facebook signed a consent decree to protect users' privacy -- for each violation.
The social media company may face those penalties if the Federal Trade Commission finds Facebook violated that decree. At the time, the FTC contended that Facebook made users' information public without warning them or asking for permission. The decree mandated that the social media company notify users and obtain their consent to share information with third parties.
The FTC on Monday said it's investigating Facebook's privacy practices after the Cambridge Analytica debacle.
"The FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook," Tom Pahl, acting director of the agency's bureau of consumer protection, said in a statement. "Today, the FTC is confirming that it has an open non-public investigation into these practices."
As reported last week, the FTC is interested in whether Facebook's handling of the Cambridge Analytica scandal violated the decree it signed more than six years ago. Facebook is under intense scrutiny after The New York Times, The Guardian and the Observer revealed that Cambridge Analytica -- a data consultancy that helps businesses and political parties "change audience behavior" -- had gotten its hands on data from tens of millions of Facebook users.
That data came from an app created by University of Cambridge neuroscientist Aleksander Kogan. Facebook CEO Mark Zuckerberg on Wednesday said Kogan's app was installed by 300,000 people, giving Kogan access to their friends' data, too. According to the Times, the total number of Facebook users affected could be more than 50 million.
The FTC's decision to investigate signals growing government interest and concerns with Facebook's impact on its 2.2 billion worldwide users.
"I'm sure this is much bigger than Cambridge Analytica and I'm sure there are other Cambridge Analyticas out there," Senator John Kennedy, Republican from Louisiana, told the Times. "Facebook isn't just a company, it is so powerful it is like a country."
Separately, 37 state attorneys general sent a letter Monday to Facebook with questions for the company related to Cambridge Analytica.
"Facebook has made promises about users' privacy in the past, and we need to know that users can trust Facebook. With the information we have now, our trust has been broken," the letter states (PDF).
The misuse of the data, which was collected in 2013 through a personality quiz called "thisisyourdigitallife," shed light on how poorly Facebook has handled personal information. The app was able to grab data from an extended network of friends, a valuable trove of information that Cambridge Analytica allegedly used to target political ads.
Cambridge Analytica has denied any wrongdoing.
Zuckerberg has apologized to the social network's users for what he called a "breach of trust" and said he's addressing the app exploit. He vowed to investigate all apps that have had access to large amounts of information and to "conduct a full audit of any app with suspicious activity."
But Zuckerberg still faces calls to testify before Congress. During an interview with CNN, Zuckerberg said he would do so -- with some caveats.
"So what we try to do is send the person at Facebook who will have the most knowledge about what Congress is trying to learn," he said. "So if that's me, then I am happy to go."
He may not have much choice in the matter. On Monday, the Senate judiciary committee sent Zuckerberg invitation to appear before an April 10 hearing on how social media companies handle user data. (The CEOs of Google and Twitter are also invited.) The House committee on energy and commerce may also soon get around to requesting his presence.
Zuckerberg went on an apology tour last week following five days of silence on the matter. The lack of a response from the CEO spurred hashtags like #whereszuck and #deletefacebook, with companies like Tesla and Space X and individuals like Cher taking real action.
The 37 state attorneys general who sent the letter Monday to Facebook have specifically requested "prompt" answers to seven questions.
"Were those terms of service clear and understandable, or buried in boilerplate where few users would even read them? How did Facebook monitor what these developers did with all the data that they collected? What type of controls did Facebook have over the data given to developers?" they asked.
"Did Facebook have protective safeguards in place, including audits, to ensure developers were not misusing the Facebook user's data? How many users in our respective states were impacted? When did Facebook learn of this breach of privacy protections? During this timeframe, what other third party 'research' applications were also able to access the data of unsuspecting Facebook users?"
Facebook shares, which are down almost 14 percent since the Cambridge Analytica scandal broke March 16, dropped nearly 6 percent in morning trading Monday. The stock recovered some but was down 3.66 percent at 10 a.m. PT.
Cambridge Analytica didn't immediately respond to CNET's request for comment.
First published March 26 at 8:51 a.m. PT.
Update, 9:23 a.m. PT: To include additional background and context.
Update, 10:01 a.m. PT: Adds letter from state attorneys general and stock price.
Update, 1:12 p.m. PT: Added information on the Senate judiciary hearing and other background.
Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.
Special Reports: CNET's in-depth features in one place.