Updated at 12:16 p.m. ET
Facebook CEO Mark Zuckerberg will have to personally answer to federal regulators under an agreement to settle a privacy case with the Federal Trade Commission that includes a $5 billion penalty for the giant social media company, the agency announced Wednesday. Separately, Facebook will pay $100 million to settle a case with the Securities and Exchange Commission for making misleading disclosures about the risk that users' data would be misused, the SEC said.
Under the FTC agreement, Zuckerberg will be required to submit quarterly compliance reports directly to the federal regulators and to Facebook's board of directors. If the Facebook co-founder or "designated compliance officers" violate the agreement, they could be subject to civil and criminal penalties, the FTC said.
"There's no way that the CEO can bury his head in the sand," James Kohm, head of the FTC's enforcement unit, told NPR. "There's no ostrich defense."
According to FTC investigators, Facebook violated the terms of its 2011 settlement with the agency, in which it promised to protect user data from broad sharing with third-party apps. The company also committed new violations, they said.
Kohm described two major incidents in which Facebook effectively lied to users.
First, the company solicited phone numbers, saying they were being collected to verify users' identity if a password needed to be reset. Millions of people trusted the company, and then Facebook took those phone numbers and used them not just for security, but also for advertising purposes, the FTC said.
Also, according to regulators, the company conducted facial recognition tracking on 60 million users without proper consent. Facebook must notify users who were affected and offer to delete the data collected.
In a blog post Wednesday, Facebook said the FTC agreement "is not only about regulators, it's about rebuilding trust with people. ...
"We have heard that words and apologies are not enough and that we need to show action. By resolving both the SEC and the FTC investigations, we hope to close this chapter and turn our focus and resources toward the future," the company said.
In a separate post, Zuckerberg wrote: "We have a responsibility to protect people's privacy. We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry."
In an earnings call earlier this year, Facebook disclosed it was expected to pay a multi-billion-dollar fine to regulators. Following the company's announcement, the stock price jumped. Investors continued to have faith in the business.
The FTC voted 3-2 in favor of the settlement. FTC Commissioner Rohit Chopra, one of the dissenters, said the $5 billion penalty "makes for a good headline, but the terms and conditions, including blanket immunity for Facebook executives and no real restraints on Facebook's business model, do not fix the core problems that led to these violations."
The other "no" vote came from Commissioner Rebecca Kelly Slaughter. She said the settlement doesn't go far enough in deterring the company because it lacks "both meaningful limitations on how Facebook collects, uses, and shares data and public transparency regarding Facebook's data use and order compliance."
Some critics charge the FTC fine is too small, but Kohm said it sends a tough message.
"The idea that $5 billion is a slap on the wrist just doesn't pass the laugh test. It is an enormous amount of profits," he said. "[Facebook] didn't give it up easily. It is way higher than any case in U.S. history other than Deepwater Horizon [the Gulf of Mexico oil spill], where there was massive amounts of harm."
Data privacy harm is less tangible than oil spill harm. But the FTC says the $5 billion is for deterrence — to send a message to other tech companies. Kohm says Facebook fought against it, though the company didn't want to litigate.
The settlement comes as big tech companies such as Facebook, Google and Amazon face increased calls for regulation amid scrutiny over whether they're too big and powerful.
It follows by one day the Justice Department's announcement that its antitrust division is reviewing "whether and how market-leading online platforms have achieved market power and are engaging in practices that have reduced competition, stifled innovation, or otherwise harmed consumers." The department did not say which companies are under review.
The FTC's investigation of Facebook began more than a year ago in the wake of revelations that Cambridge Analytica, a firm that had worked with President Trump's 2016 campaign, had gathered personal data from up to 87 million Facebook users.
Facebook had been in negotiations with the FTC following concerns that the social media giant violated the 2011 consent decree in which it promised to give consumers "clear and prominent notice" when sharing their data with others and to get "express consent."
And on Wednesday, the company settled a case with securities regulators over the Cambridge Analytica matter. The SEC said Facebook "discovered the misuse of its users' information in 2015, but did not correct its existing disclosure for more than two years." Instead, the agency said, "Facebook continued to tell investors that 'our users' data may be improperly accessed, used or disclosed.' "
"Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused," Stephanie Avakian, co-director of the SEC's Enforcement Division, said in a statement. "Public companies must have procedures in place to make accurate disclosures about material business risks."
Facebook told investors in April that it expected to pay a fine of up to $5 billion in a settlement with the FTC. By comparison, the company reported $55.8 billion in revenues and a profit of $22.1 billion last year.
Facebook is one of NPR's financial sponsors.
Zuckerberg faced hours of questioning in congressional hearings in April 2018 over the Cambridge Analytica scandal and how Facebook handled user data. "We didn't take a broad enough view of our responsibility, and that was a big mistake. It was my mistake, and I'm sorry," he told lawmakers.
Days earlier, Facebook Chief Operating Officer Sheryl Sandberg told NPR in an interview: "We really believed in protecting privacy. But we were way too idealistic. We did not think enough about the abuse cases."
In March 2019, Zuckerberg promised to bring encryption and self-destruct features to Messenger and other Facebook apps, in a move meant to signal the company's commitment to privacy.
Facebook denied reports in June 2018 that the company exposed its users' private information to other big tech companies as part of a plan to become ubiquitous on mobile devices.
Earlier this year, several groups that advocate for children's rights and privacy rights asked the FTC to investigate whether Facebook illegally enticed children to spend money on in-game purchases without their parents' consent.
And Facebook's plan to launch a digital currency has drawn skepticism from lawmakers, who cited the company's repeated missteps over privacy.
MARY LOUISE KELLY, HOST:
The Federal Trade Commission announced today that Facebook will pay a $5 billion fine for rampant privacy violations. CEO Mark Zuckerberg will have to answer directly to regulators as part of the settlement. For some perspective, though - the company's quarterly earnings were also announced today. And Facebook made $16.9 billion. Well, here to talk about the deal is NPR's Aarti Shahani.
AARTI SHAHANI, BYLINE: Hi.
KELLY: All right. So give me the highlights. What is this deal that has now emerged between the FTC and Facebook?
SHAHANI: Yes. It was filed today, and it's kind of a follow-up. Back in 2011, Facebook promised the FTC it would stop sharing user data with third parties, outside apps. And according to the FTC's head of enforcement, the company broke its promise while the ink was still drying on that deal. Facebook had turned users into the product. What a person clicks, likes, who their friends are - these got packaged and monetized. Advertisers and other app developers, like Cambridge Analytica, would pay for access. Facebook promised the government it would stop harvesting and sharing data so liberally, but it didn't. Facebook also tricked users into handing over phone numbers. In theory, it was for security for password resets. In reality, the company used those numbers for advertising too. And regulators say Facebook lied about facial recognition. About 60 million Facebook users can expect to get a note telling them the company was tracking without proper permission.
KELLY: Wow. So that is the quite staggering context - 60 million users going to get a note. What in this deal will compel Facebook to change its ways?
SHAHANI: So now going forward, Facebook needs to spell out exactly what data it's collecting and what it's sharing. The government hasn't imposed limits from outside. Facebook will decide for itself. But it will have to give quarterly reports to the FTC and its own board. Zuckerberg has to sign them. And if Facebook gets caught violating, Zuckerberg would be subject to civil as well as criminal penalties. I'd also note Facebook, which is an NPR sponsor, disclosed today that the FTC has begun a separate anti-trust investigation.
KELLY: To your point that you just made about Mark Zuckerberg and that he will be personally accountable if Facebook does not follow the rules going forward - that must count as a big win from the point of view of the FTC.
SHAHANI: Yeah. So the three Republicans at the FTC who approved the deal say, yes. They are getting way more money from Facebook than litigation would ever have gotten and sending a strong message to other CEOs - abuse user privacy, and we'll make you pay. But one FTC member, Democrat Rohit Chopra, who dissented - he thinks Zuckerberg got off the hook.
SHAHANI: Yeah. So the CEO was supposed to make sure his company complied with the original settlement order, OK? He didn't. The FTC could have slammed him with a civil suit now. Regulators would not need to prove that Zuckerberg lied, just that he failed in his duty and there's - that's a much lower burden with plenty of evidence. So Chopra wanted to see Zuckerberg deposed in court and forced to disclose what he knew. Now that opportunity is gone.
KELLY: Well, what is Facebook saying about all this?
SHAHANI: The CEO issued a post today. And I got to say it's classic Zuckerberg - spin the embarrassing development into another example of Facebook's desire to do good and go above and beyond. He wrote, quote, "we already work hard to live up to this responsibility" - meaning protecting privacy - "but now we're going to set a completely new standard for our industry." He said hundreds of engineers and more than a thousand people across the company would implement this privacy-focused vision. What he didn't mention is that his legal team fought tooth and nail on every aspect of this deal. That's according to the FTC. As one regulator put it, Facebook settled and didn't go to court because that would have been quite embarrassing. Company documents would have been revealed.
SHAHANI: Now Facebook gets to break the bad news on the same day as the Mueller hearing.
KELLY: NPR's Aarti Shahani, thanks so much.
SHAHANI: Thank you. Transcript provided by NPR, Copyright NPR.