U.S. regulators have met to discuss imposing a record-setting fine against Facebook for violating a legally binding agreement with the government to protect the privacy of its users' personal data, according to three people familiar with the deliberations but not authorized to speak on the record.
The fine under consideration at the Federal Trade Commission, a privacy and security watchdog that began probing Facebook last year, would mark the first major punishment levied against Facebook in the United States since reports emerged in March that Cambridge Analytica, a political consultancy, accessed personal information on about 87 million Facebook users without their knowledge.
The penalty is expected to be much larger than the $22.5 million fine the agency imposed on Google in 2012. That fine set a record for the greatest penalty for violating an agreement with the FTC to improve its privacy practices.
The FTC’s exact findings in its Facebook investigation and the total amount of the fine, which the agency’s five commissioners have discussed at a private meeting in recent weeks, have not been finalized, two of the people said. Staff has briefed the commissioners about their probe, the third person said, and plan to issue a formal recommendation for a fine soon — a move that would then trigger a vote by the commissioners.
Facebook also has talked with FTC staffers about the investigation, one of the people familiar with the probe said, but it is unclear whether the company would settle with the FTC by accepting a significant financial penalty.
The FTC, which has been shut down amid the lapse in government funding, could not be reached for comment. FTC Chairman Joseph Simons did not respond to a request for comment. Facebook declined to comment.
On Friday, privacy advocates strongly urged the FTC to take aggressive action against Facebook. “The agency now has the legal authority, the evidence, and the public support to act. There can be no excuse for further delay,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, which helped to bring about the FTC’s 2011 charges against Facebook.
The key question for the FTC is whether Facebook’s business practices — and the protections and privacy controls it afforded consumers — violated requirements spelled out in a consent decree brokered by the agency the last time it accused the tech giant of deceiving its users. Only through such a finding could the FTC levy a fine.
The agreement requires Facebook to notify users, and seek their permission, before data is shared with third parties in a way that differs from existing privacy settings. The legally binding order also mandates that Facebook obtain users' affirmative permission before sharing their data with third parties, and requires the tech giant to tell the FTC in cases where others misuse that information. It prohibits Facebook from making deceptive statements about its privacy practices and institute outside checkups on the way it uses data.
Privacy advocates have charged that Facebook violated the terms of that agreement repeatedly, as evidenced by its entanglement with Cambridge Analytica. The data firm, which had ties to the Trump campaign, improperly harnessed personal information about the social networking site’s users to better target voters with political messages. Cambridge Analytica relied on researchers to assemble a quiz app that collected names, locations, interests and other data from those who installed it, as well as their friends.
The incident, brought to light by a former Cambridge Analytica employee, sparked an international backlash. Regulators around the world threatened to punish Facebook and rein in the data-collection practices of its Silicon Valley peers. Lawmakers in the U.S. Congress summoned Facebook CEO Mark Zuckerberg to testify for the first time on Capitol Hill, where he apologized to lawmakers for the privacy violations.
Since the Cambridge Analytica probe came to light, other privacy troubles with Facebook have emerged — including details about its data-sharing agreements with smartphone and TV device-makers, banks and other major businesses and a full roster of third-party apps. More federal fines could still follow as the FTC investigates those matters, two of the people familiar with the probe said.
The penalty would mark the toughest punishment to date levied on Facebook for mishandling its users’ data. Regulators in the United Kingdom assessed a roughly $640,000 fine that Facebook is appealing. The attorney general of the District of Columbia has mounted a lawsuit against the tech giant for its missteps.
The FTC has issued large fines in recent years against companies that deceive consumers. It required Volkswagen in 2016 to spend more than $14 billion to settle charges related to its mishandling of emissions tests, for example, and it forced LifeLock, an identity-protection company, to pay more than $100 million for failing to secure its data. Some of that money was returned to LifeLock consumers.
Recommendations for fines made by FTC staff, however, are not always adopted by the five-member commission. In a 2012 investigation against Google, agency staff concluded that the search giant had abused its monopoly power and issued a formal recommendation to the commissioners challenging Google’s practices. The commissioners voted unanimously to end the investigation after Google agreed to voluntarily change some of his practices, a move that led to widespread frustration among agency staff, one of the people said.