Facebook CEO Mark Zuckerberg at the company's headquarters in Menlo Park, Calif. (Marcio Jose Sanchez/AP)

Almost as soon as Joe Simons took his seat at a Senate committee hearing in November, he found himself under political siege. It had been eight months since the agency he leads, the Federal Trade Commission, had announced a sweeping privacy investigation into Facebook, and lawmakers were growing wary that the government might not stand up to the tech giant.

“All too often the FTC has fallen short,” said Sen. Richard Blumenthal (Conn.), one of the panel’s top Democrats, blasting regulators for a “lack of will.”

“Our goal is to vigorously enforce,” Simons pledged in response.

Now, as federal regulators finalize a settlement with Facebook, some critics say their fears were justified. The package of penalties for Facebook’s past privacy scandals includes a record-breaking $5 billion fine and unprecedented government oversight of its business practices. But a Washington Post review of the 16-month investigation — described by 10 people familiar with the matter — shows that the FTC stopped short of some even tougher punishments it initially had in mind.

Those included fining Facebook not just $5 billion, but tens of billions of dollars, and imposing more direct liability for the company’s chief executive, Mark Zuckerberg. Facebook, however, fiercely resisted the government’s demands, and in the end, the FTC, facing a formidable foe whose $55 billion in revenue last year amounted to almost 200 times the budget afforded to the federal regulators, settled for less.

The experience illustrates the challenges facing a 105-year-old agency hamstrung in the kinds of penalties it can pursue by the nation’s lack of a national consumer privacy law. While some lawmakers bemoan the FTC’s inability to punish Facebook, Congress has yet to advance legislation that would give the FTC a stronger hand as it confronts some of the most profitable corporations in the global economy. Some analysts expect Facebook to post $16.5 billion in revenue when it reports its results for the second quarter of 2019 on Wednesday.

Facebook declined to comment for this story. The FTC also declined to comment.

Under the settlement, which has not yet been made public, Facebook is expected to submit to heightened federal scrutiny. It could be required to certify — through its executives as well as its board of directors — that it is considering privacy risks when it collects information, taps it in new ways or makes it accessible to third parties, including app developers.

The inclusion of a $5 billion fine sets a record for the FTC, dwarfing by far the $22.5 million penalty handed down to Google in 2012 for improperly tracking Web users. The matter is in the hands of the Justice Department, which could finalize the Facebook settlement as soon as this week.

“Even if $5 billion is something people think is easily payable by Facebook, it is a record-breaking amount by a wide margin,” said Jessica Rich, the former director of the FTC’s Bureau of Consumer Protection. Cautioning she would need to see the full settlement to gauge it, she said of the fine: “It sends a message.”

The spark for the government’s investigation into Facebook was Cambridge Analytica, a political consultancy with ties to the upper echelons of Trump’s 2016 presidential campaign. The firm sought to harness the power of Facebook data — including users’ likes and interests — to create “psychographic” profiles of users and better target its clients’ political messages.

In doing so, Cambridge Analytica relied on a quiz app created by a third-party researcher that collected data about those who installed it as well as their Facebook friends, a practice the company allowed until a series of rule changes in 2015. Revelations three years later about the data it amassed — putting 87 million Facebook users’ information at risk for further misuse — sparked an international backlash from regulators who saw it as a sign of Silicon Valley’s endemic problems with privacy.

By the end of March 2018, the FTC announced its own probe into Facebook, an unexpected move for a federal enforcement agency that typically says nothing about its work to probe corporate wrongdoers. The investigation sought to determine if Facebook broke promises it made to the government in 2011 to improve its privacy practices, a legally binding accord that ended an earlier inquiry into the social-networking giant. Violations threatened Facebook with steep fines, though Facebook for months maintained publicly that it didn’t breach the accord.

The commission’s task — immediately seen as a litmus test of its power to oversee Silicon Valley — fell chiefly to Simons, who had joined the FTC’s two other Republicans and two Democrats in spring 2018. Simons assumed the chairmanship of the agency in May after decades of practicing antitrust law for the government and a host of private-sector clients.

The FTC’s probe into Facebook only widened amid a torrent of additional revelations about its privacy practices. That June, for example, Facebook acknowledged it had shared user information with 52 hardware and software makers, including Amazon, Microsoft and Huawei, as well as apps including Hinge, an online-dating service, and Spotify, a music-streaming giant, in ways that might not have been readily apparent to users. Each of the new disclosures triggered fierce criticism among privacy hawks, who questioned why the FTC — which had been watching Facebook since 2012 — never spotted a single violation at the company in the first place.

By the end of 2018, staff investigators at the FTC had concluded that Facebook had breached its previous agreement with the government. Taking into account the total number of users who had seen misleading privacy disclosures about Facebook — a form of deception in the eyes of the FTC — the agency computed a theoretical maximum fine that reached into the tens of billions of dollars.

However, Facebook had a different understanding of its own errors: The tech giant internally believed at most it should be paying into the hundreds of millions of dollars, and the company felt it could easily prevail in court if it had to battle the FTC over how it calculates fines and what qualifies as a violation. In the end, Facebook still offered to pay more than it believed was required in a bid to assuage regulators and win other concessions from the feds.

A primary concern: Zuckerberg and other top-tier Facebook executives. The commission’s Democratic members — Rohit Chopra and Rebecca Kelly Slaughter — for months had hinted publicly their belief that corporate leaders should be held personally accountable for their companies’ repeated privacy mishaps.

Such a move could have resulted in Zuckerberg, personally, being put under an FTC order, opening the door for fines and other penalties against him if Facebook erred again in the future. The FTC had considered placing Zuckerberg under order during its last investigation in 2011, according to documents obtained under federal open-records rules first reported by The Washington Post. But the commission ultimately abandoned the idea, prompting lawmakers eight years later to impugn the agency for being too weak.

Facebook’s team of lawyers, overseen by Colin Stretch, then the company’s general counsel, steadfastly opposed placing Zuckerberg under order, including during meetings with commission negotiators starting last year. The tech giant’s internal briefing materials reflected its willingness to cease settlement talks and send the matter to court, if necessary, to protect their executive from one of the most severe penalties the FTC could levy on him directly. Commission staff at one point sought to include in their order a section that pointed out all the times that Zuckerberg had spoken or posted publicly about Facebook’s privacy commitments. Facebook vigorously battled against that, too.

Facebook leaders further sought to ward off any restrictions on the way they collect data in the first place, another long-sought stipulation by commission Democrats who felt the agency should seek injunctions to change companies’ behavior — not just monitor them for years to come. Privacy watchdog groups, including the Electronic Privacy Information Center, heavily emphasized the need for these “structural remedies” at Facebook for more than a year.

For both the FTC and Facebook, a war in federal court could have carried immense risks. It might have put Zuckerberg and his fellow executives on the stand in a public trial, opening the company and its controversial data-collection practices to unprecedented public scrutiny. The public grilling could have threatened Facebook’s standing in the eyes of shareholders and users alike, and, even if the company won, heightened the possibility that regulators would respond with privacy laws that they had long threatened but never actually passed.

The stakes were just as high for the FTC: Internally, the agency knew that it wasn’t guaranteed to get a multibillion-dollar fine and other new commitments from a federal judge. Adding to the trouble, the agency, armed with a relatively small $306 million budget in 2018 that supported roughly 1,100 employees, had to confront the possibility that it might be outmatched in such litigation. Even Simons appeared to warn Congress about the resource challenges when he appeared in front of Senate lawmakers last November, repeatedly citing some of the agency’s staffing and budget challenges.

"Many of the FTC’s investigations and cases in this arena involve complex facts and technologies and well-financed defendants, often requiring outside experts, which can be costly," he said in prepared testimony.

A loss also could have immensely damaged the agency, perhaps setting a legal standard that curtailed the commission’s authority to police other tech giants for their privacy and security practices. In recent years, the FTC has suffered such setbacks, including a 2018 defeat in a pharmaceutical case. That ruling threatened to curtail the commission’s power to bring some lawsuits against companies that may have harmed consumers in the past but later stopped.

“It could be curtailed by a court decision, which might come down eight years down the line,” said Omer Tene, vice president at the International Association of Privacy Professionals. “Certainly a company like Facebook has the firepower to fight fire with fire and actually take the U.S. government all the way to the Supreme Court, and maybe once and for all settle the authority the FTC has in privacy and data security.”

The size of the fine, Zuckerberg’s absence and the FTC’s decision to focus much of its settlement on transparency and oversight split the commission, prompting its Democratic members to vote against the settlement in July. Chopra and Slaughter each declined to comment.

Some of the people interviewed for this story expressed concern that Facebook may not have had to admit guilt as part of the settlement with the FTC, either. In the agency’s 2012 privacy settlement with Google, the search giant similarly managed to deny “any violation” had run afoul of a previous order brokered with the FTC. The agency adopted a similar approach in a settlement announced Monday with Equifax, with the agency not admitting any wrongdoing two years after it left more than 147 million Americans’ personal data exposed.

On Capitol Hill, Democrats and Republicans alike reacted to the Facebook deal with outrage, even though over the roughly 480 days that the FTC investigated Facebook, lawmakers had failed to pass a single privacy bill that might have empowered the FTC to be tougher on tech giants.

“If the FTC is seen as traffic police handing out speeding tickets to companies profiting off breaking the law, then Facebook and others will continue to push the boundaries,” Blumenthal and Sen. Josh Hawley (R-Mo.), a top tech critic, wrote in a letter to the agency earlier this month.

Emphasizing the need for tougher penalties against Facebook beyond a multibillion-dollar fine, they added: “The Facebook investigation will be a defining moment for the commission.”