Facebook will pay a record $5bn (Ksh520 billion) fine to settle privacy concerns, the US Federal Trade Commission (FTC) has said.
The social network must also establish an independent privacy committee that Facebook’s chief executive Mark Zuckerberg will not have control over.
The FTC had been probing allegations political consultancy Cambridge Analytica improperly obtained the data of up to 87 million Facebook users.
The probe then widened to include other issues such as facial recognition.
The $5bn fine is believed to be the biggest ever imposed on any company for violating consumers’ privacy.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC chairman Joe Simons.
He added that the heavy fine was designed “to change Facebook’s entire privacy culture to decrease the likelihood of continued violations”.
What did Facebook do wrong?
The FTC’s Bureau of Consumer Protection began investigating Facebook in March 2018 after it was revealed that personal data was illegally harvested from an online personality quiz and sold to Cambridge Analytica, a data analytics firm.
There were subsequent claims the data may have been used to try and influence the outcome of the 2016 US presidential election and the UK Brexit referendum.
Although only 270,000 people took the quiz, whistleblower Christopher Wylie alleges that the data of some 50 million users, mainly in the US, was harvested without their explicit consent via their friend networks.
But Cambridge Analytica was not the only firm to have access to users’ personal data – the data was gathered using Facebook’s infrastructure at that time, and many other developers had taken advantage of it without authorisation.
Facebook was fined £500,000 by the UK’s data protection watchdog for its role in the Cambridge Analytica data scandal in October.
What did the US government say about the violations?
Confirming previous reports, the FTC found that certain Facebook policies violated rules against deceptive practices. For instance, it said Facebook’s data policy was deceptive to people who used its facial recognition tool.
The social network also fell foul of the regulator by not revealing that phone numbers collected for two-factor authentication would be used for advertising.
FTC representatives from both the Democrat and Republican parties voted the settlement deal through, although some dissented, arguing it did not go far enough.
Democrat Rohit Chopra tweeted the fine would not stop Facebook from “engaging in surveillance” and that Mark Zuckerberg and other executives had got “blanket immunity for their role in the violations”.
Does the fine matter?
Analysis: Chris Baraniuk, BBC technology reporter
Facebook has deep pockets – the firm’s annual revenue last year was $55bn. However, the FTC’s fine will still irritate the tech giant. In a press release, the company acknowledged unequivocally that its involvement in the Cambridge Analytica scandal was “a breach of trust” with its users.
The regulatory action will be taken by some as a general sign that mishandling user data can incur real consequences from US authorities. For years, apps and websites have casually harvested personal information for murky ends. While this will undoubtedly continue in many quarters, with every crackdown, such activity only becomes more contentious.
But there are those who think the FTC could have gone further. And one, Alex Stamos, Facebook’s former chief security officer, thinks the settlement actually benefits the company.
By restricting the flow of data, Facebook may get to effectively hoard its 2.4 billion users, he argues, rather than allow them to access third party apps or competing social networks.
What happened to Cambridge Analytica?
In May 2018, Cambridge Analytica filed for bankruptcy in the US, blaming a “siege of media coverage” for driving away customers and forcing its closure.
As part of a separate settlement with the FTC, two of the defendants – former Cambridge Analytica chief executive Alexander Nix and app developer Aleksandr Kogan – have agreed to administrative orders restricting how they conduct any business in the future.
The pair are also required to delete or destroy any personal information they collected.
The FTC also launched a lawsuit against the bankrupt company, which is yet to settle the agency’s allegations.
What changes has Facebook promised to make?
In a post on Facebook, Mr Zuckerberg said the firm had “a responsibility to protect people’s privacy” and would be changing how its products were developed and how the company is run.
He said that Facebook was reviewing its technical systems to identify possible privacy risks, and going forward, whenever the social network built a new product that used data, or a feature changed the way it used data, possible privacy risks would need to be addressed.
“Overall, these changes go beyond anything required under US law today,” he said.
“We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward,” he added.
Is Facebook facing other investigations?
At the same time that the FTC made its announcement, the US Securities and Exchange Commission (SEC) announced charges against Facebook for making misleading disclosures regarding its handling of user data.
As a result, Facebook has agreed to pay $100m to settle the claims.
The SEC found that although Facebook discovered the misuse of its users’ information in 2015, it did not clarify this for two years, instead telling investors that user data “may” have been improperly accessed.
The US Department of Justice (DoJ) is also investigating leading online platforms to see whether they are unfairly restricting competition.
The DoJ did not name any firms, but giants such as Facebook, Google, Amazon and Apple are likely to be scrutinised in the wide-ranging probe.