Facebook may have to pay a multi-billion dollar fine for violating its users' privacy—or face a lawsuit from the Federal Trade Commission.

The FTC has been investigating Facebook and is negotiating with the company "over a multi-billion dollar fine that would settle the agency's investigation," The Washington Post reported yesterday, citing "people familiar with the probe." New York Times sources also confirmed that the current negotiations "could amount to a record, multibillion-dollar fine."

The investigation focuses on whether Facebook violated the terms of a 2011 settlement with the FTC. In the 2011 case, the FTC said that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public."

The settlement prohibited Facebook from misrepresenting the privacy or security of user information, and it required Facebook to get consumers' express consent before making changes that override their privacy settings.

Cambridge Analytica spurred investigation

The current investigation began in March 2018, after revelations that up to 87 million users' information was improperly shared with Cambridge Analytica, a political consulting firm that did work for Donald Trump's presidential campaign. FTC investigators have been examining Facebook's conduct in the Cambridge Analytica case and "a series of additional privacy mishaps made public in recent months," the Post wrote.

Facebook could face a tough court case if the negotiations break down. Facebook denies violating the 2011 settlement, and the company "has expressed initial concern with the FTC’s demands," the Post reported. "If talks break down, the FTC could take the matter to court in what would likely be a bruising legal fight."

Facebook privacy revelations since the Cambridge Analytica scandal include making the posts of 14 million users public despite the users sharing the posts with only a limited number of contacts, giving tech companies access to users' personal data, and making the private photos of millions of people public.

When contacted by Ars, Facebook declined to comment on the FTC investigation and negotiations. Facebook instead pointed to one of its previous statements from months ago, which said the company is "cooperating with officials in the US, UK, and beyond. We've provided public testimony, answered questions, and pledged to continue our assistance as their work continues."

Facebook should be "regulated as public utility"

The FTC has the authority to fine Facebook at least $70 billion based on the scope of its violations, the Electronic Privacy Information Center (EPIC) and other consumer groups told the FTC in a letter last month. But such a large fine isn't likely, EPIC said. Based on the FTC's previous practices, "we anticipate that the fine against Facebook would exceed $2 billion," the letter said.

"Facebook has violated the [2011] consent order on numerous occasions, involving the personal data of millions, possibly billions, of users of its services," EPIC also wrote.

The 2011 settlement stemmed from complaints filed by EPIC and other consumer groups. In addition to a fine, EPIC's letter last month urged various structural remedies for the Cambridge Analytica scandal and other privacy violations. Among other things, EPIC said that Facebook should have to divest WhatsApp and Instagram, comply with "fair information practices," stop collecting personal data from people who don't use Facebook, and change the company's governance structure.

"We urge the Commission to either restore the right of Facebook users to have meaningful input into the company's decisions or to recommend to Congress that Facebook be regulated as a public utility," EPIC wrote. "Facebook has operated for too long with too little democratic accountability. That should now end."