The US Federal Trade Commission (FTC) has formally fined Facebook $5bn (€4.5bn) for privacy violations and enforced strict new oversight rules.
The agency opened an investigation into the social network last year after the Cambridge Analytica data scandal.
As part of the settlement, the FTC said Facebook chief executive Mark Zuckerberg will have to personally certify the company’s compliance with privacy measures and the company must submit quarterly privacy reviews to show its measures are working.
Facebook assessed $5 billion penalty, subjected to sweeping new restrictions on user privacy decisions to settle FTC charges the company violated a 2012 FTC order by deceiving users about their ability to control privacy of their personal info. Read more: https://t.co/NYx2JnKmJV pic.twitter.com/7KVd3Vg02J
— FTC (@FTC) July 24, 2019
Failure to comply with the new measures could see Mr Zuckerberg face civil or criminal penalties, the FTC said.
It is part of what the FTC called “unprecedented new restrictions on Facebook’s business operations” which will create “multiple channels of compliance” that will ensure company executives are accountable for privacy decisions.
The fine is the largest imposed on a company for violating consumer privacy, the FTC said.
FTC chairman Joe Simons said: “Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices.
“The magnitude of the $5bn penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.
“The commission takes consumer privacy seriously and will enforce FTC orders to the fullest extent of the law.”
In a statement posted to his Facebook page, Mr Zuckerberg said: “We’ve formally reached a settlement with the Federal Trade Commission about privacy.
“We’ve agreed to pay a historic fine, but even more important, we’re going to make some major structural changes to how we build products and run this company.
“Our executives, including me, will have to certify that all of the work we oversee meets our privacy commitments. Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy programme.
“We’ve also asked one of our most experienced product leaders to take on the role of chief privacy officer for products.”
In the settlement filing, the FTC said Facebook’s fine was due to the firm violating a previous order from the Commission by deceiving users about their ability to control the privacy of their personal information.
The Commission alleges that Facebook failed to protect user data from third-parties, misled some users over a facial recognition feature being turned off by default and used phone numbers provided by users for security reasons to serve adverts.
Facebook is to pay the €4.4bn fine and introduce the new privacy measures in order to settle the charges.
The social network will now have to carry out privacy audits on any new or updated product it launches which uses data, documenting any risks and how it plans to mitigate them.
“We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward,” Mr Zuckerberg said.
“Overall, these changes go beyond anything required under US law today. The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.”
The FTC also announced a lawsuit against Cambridge Analytica and said it had reached settlements with the data analysis firm’s former chief executive Alexander Nix and app developer Aleksandr Kogan – who worked with the company and whose personality quiz app was linked to the Facebook data scandal.
Mr Nix and Mr Kogan have agreed to a settlement which will restrict how they conduct any business in the future and requires them to delete or destroy any personal data they collected, the agency said.