The Federal Trade Commission today announced a long-rumored, record-smashing $5 billion settlement with Facebook over allegations related to user privacy.

The fine is high, and the settlement demands more privacy oversight at the company. But what the deal does not do is find anyone, including CEO Mark Zuckerberg, personally responsible, nor does it mandate huge changes to the way Facebook collects data⁠—only to the way it makes disclosures and honors user settings.

Facebook repeatedly "subverted users' privacy choices to serve its own business interests," the FTC said in the order (PDF). The company's actions violated a previous settlement requiring Facebook to adhere to certain privacy guidelines.

The commission voted 3-2 along party lines to support the settlement. The two commissioners who voted against adopting the settlement, Democrats Rebecca Kelly Slaughter and Rohit Chopra, said it went nowhere near far enough, leaving Facebook ample room to get up to mischief in the future.

What it's all about

The biggest set of charges in the settlement relate to Facebook allowing third-party app developers to access data about users' friends, without saying they were doing so⁠—the heart of the Cambridge Analytica scandal.

"At least tens of millions of American users relied on Facebook's deceptive privacy settings and statements to restrict the sharing of their information," the complaint says, "When, in fact, third-party developers could access and collect their data through their friends' use of third-party developers' apps."

The settlement reflected several charges about how Facebook handled third-party app permissions for years, all brought to light by investigations that began in the wake of the Cambridge Analytica revelations.

Additionally, the FTC said Facebook violated the earlier order by "misrepresenting" consumers' ability to opt out of facial recognition by using phone numbers provided for two-factor authentication for advertising purposes without notifying users and by storing user passwords without encryption.

The $5 billion penalty is equivalent to about 9% of Facebook's annual revenue, or 23% of its 2018 profit, FTC Chairman Joseph Simons said, adding that the fine is "unprecedented in global privacy enforcement" and "one of the largest civil penalties for any type of conduct in US history, alongside cases involving enormous environmental damage and massive financial fraud."

In addition to the blockbuster $5 billion deal, regulators also announced two separate, smaller settlements related to Facebook's privacy practices today. The first is a $100 million settlement between the FTC and Cambridge Analytica, the company of data scandal fame. The FTC charged Cambridge Analytica, along with developer Aleksandr Kogan and former CEO Alexander Nix, with deceiving customers by claiming they did not collect any personally identifiable data when, in fact, they did.

The US Securities and Exchange Commission also accused Facebook of deception, but of investors rather than of users. Facebook is paying $100 million to settle charges that, for two years, its disclosures "presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data," the SEC said.

The terms

In addition to the $5 billion fine, which goes straight to the US Treasury, the new order requires Facebook to establish and adhere to a new governance structure for reviewing user privacy on its services, including Instagram and WhatsApp.

The company's board of directors must form an independent privacy committee, removing "unfettered control" of decisions affecting user privacy from CEO Mark Zuckerberg. Members of that privacy committee will be nominated by a separate independent nominating committee, and they can only be removed by a supermajority of the eight-member board.

The agreement also requires that committee to designate specific compliance officers who will be responsible for handling privacy compliance at Facebook. Only that committee can remove those compliance officers, the FTC noted, not Zuckerberg or other Facebook employees.

In addition to FTC monitoring, a third-party entity will also regularly review Facebook's data collection practices for the next 20 years. That assessor's findings "must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management," the FTC said.

Both Zuckerberg and the compliance officers must submit quarterly and annual privacy certifications to the FTC, guaranteeing the company's compliance. Both civil and criminal penalties are possible if those certifications are found to be false.

The company must also agree to a litany of other requirements, including greater oversight of third-party apps, beefed up disclosures about facial recognition, the establishment of a new data security program, and more.

Facebook in a statement said the settlement would bring "rigorous new standards for protecting your privacy."

The agreement "will require a fundamental shift in the way we approach our work" and will "mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past," the company continued. "The accountability required by this agreement surpasses current US law and we hope will be a model for the industry."

Facebook's statement omits the fact that the US does not have a national privacy law.

Transparency not included

Slaughter said in her dissent (PDF) that the settlement "falls short" against the allegations in the case. "I don't think the terms in this order go far enough to change Facebook or ensure accountability," she said. "There are no substantive limitations on Facebook's data collection, use, and sharing. And there is no public transparency."

The record "more than justified initiating litigation against Facebook and Mr. Zuckerberg," Slaughter said. "When executives at large companies exercise control over decisions, including decisions to break the law, they should be held accountable the same way executives at smaller companies are."

Although going to court does carry the risk of losing your case, "even an adverse finding or a lackluster remedy can further the public good," she wrote. "Disappointing results help build the public case that there are deficits in the law that Congress must address."

Aside from the issue of suing Zuckerberg, Slaughter said, the $5 billion, while an objectively large sum of money, is nowhere near enough. "I regard the injury to the public and the institutions of our democracy to be quite substantial," she said. Facebook could and should easily pay much more, she said, since FTC orders, such as the 2011 one the company now stands accused of violating, clearly do not motivate it to behave better.

Chopra's dissent (PDF) voiced similar sentiments.

Nothing in the order gives Facebook any incentive to leave its lucrative behavioral advertising model behind, and so in the long run, nothing will change, Chopra said:

This thirst for data has led the company to harvest intimate, personal details about tens of millions of Americans on a scale and scope that are almost unimaginable. Facebook’s data collection is both ongoing and increasing, as the company continues to add new means of surveillance that can be difficult to avoid. To facilitate further data acquisition, Facebook grants itself the right to surveil, own, and monetize users’ private information by binding them to constantly evolving take-it- or-leave-it terms at sign-on.

The $5 billion fine "makes for a good headline," he wrote, "but the terms and conditions, including blanket immunity for Facebook executives and no real restraints on Facebook’s business model, do not fix the core problems that led to these violations."

A win for Facebook?

Technology expert Ashkan Soltani, who served as the FTC's chief technologist for a time during the Obama administration, said on Twitter that the settlement "was a terrible outcome for our leading privacy regulator and a very sweet deal for Facebook." He added that, "If this were a game of chess, Facebook just checkmated FTC, flipped the board so it couldn't be played again, and covered the whole thing up with a blanket."

Soltani is not alone in his assessment. Several lawmakers have already heaped scorn on the arrangement. "The FTC not only fell short, it fell on its face," Sen. Edward Markey (D-Mass.) said. "Facebook is getting away with some of the most egregious corporate bad behavior in the age of the Internet," he added. "This outcome is an insult to consumers."

The frustration isn't limited to Democrats, either. "This is very disappointing," Sen. Josh Hawley (R-Mo.) said. "This settlement does nothing to change Facebook’s creepy surveillance of its own users and the misuse of user data. It does nothing to hold executives accountable. It utterly fails to penalize Facebook in any effective way."

FTC Chairman Simons, for his part, pointed to the law as the major issue. For the second time in a week, he called on Congress to pass privacy legislation and give the FTC authority to enforce it.

"We are a law enforcement agency without the authority to promulgate general privacy regulations," Simons said. "Our authority in this case comes from a 100-year-old statute that was never intended to deal with privacy issues like the ones that we address today."

The commission only had two choices, he continued: "One, settle on excellent terms⁠—or two, litigate for years and likely come away, even from a favorable court decision, with far less relief than we announced today. Would it have been nice to get more? To get $10 billion instead of $5 billion, for example? To get greater restrictions on how Facebook collects, uses, and shares data?"

Maybe so, Simons implied, but the agency "cannot impose such things by our own fiat."