Mark Zuckerberg’s comments during this week’s congressional hearings could cost him.

Over 10 hours of questioning about Facebook’s privacy practices on Tuesday and Wednesday, Zuckerberg fielded numerous questions about one of the few government enforcement actions against his company: a 2011 consent decree with the Federal Trade Commission to settle allegations that Facebook made privacy promises it did not keep, including sharing data with other apps without informing users.

The consent decree, which required audits of Facebook’s privacy practices every two years and barred the company from misleading consumers about the privacy of their personal information, was hailed as groundbreaking at the time. It was supposed to prevent the kind of privacy breach that occurred when a Cambridge University researcher used a little-noticed app to collect personal information on 87 million US Facebook users, which he then shared with the political consulting firm Cambridge Analytica.

Zuckerberg was asked repeatedly why Facebook did not inform the FTC when it learned about the Cambridge data sharing in 2015. Wednesday, US Representative Raul Ruiz (D-California), asked Zuckerberg if Facebook believed it was not required to report the breach under the terms of the consent decree.

“In retrospect it was a mistake. We should have and I wish we had notified and told people then,” Zuckerberg replied. But, he added, “I don’t believe that we necessarily had a legal obligation to do so. I think that it was the right thing to have done.”

On Tuesday, Senator Richard Blumenthal (D-Connecticut) questioned whether Facebook should have permitted the app to gather data in the first place, since its data-gathering practices appear to conflict with the consent decree. Blumenthal said Facebook’s actions amounted to “willful blindness. It was heedless and reckless, which, in fact, amounted to a violation of the FTC consent decree.”

Zuckerberg replied, “Senator, it certainly appears that we should have been aware that this app developer submitted a term that was in conflict with the rules of the platform.”

Last month, the FTC took the unusual step of publicly announcing that it would investigate Facebook’s data-handling practices, one week after The Guardian and The New York Times reported that Cambridge Analytica still held the data gathered by the researcher.

The Cambridge incident laid bare both the FTC’s shortcomings in enforcing its own orders, and the agency’s weak arsenal against global behemoths such as Facebook.

“We’re frankly learning just how outrageous it is that [Facebook] completely flouted this order,” says Sam Lester, a consumer privacy fellow with the Electronic Privacy Information Center, whose complaints to the FTC led to the 2011 consent decree.

EPIC is seeking all of the FTC’s communications with Facebook regarding compliance with the consent order under the Federal Freedom of Information Act. Lester says the records may show “whether Facebook had been lying to the FTC, or the FTC had been failing to do its job, or both.”

The FTC has a broad mandate to protect consumers, but has relatively weak authority to issue binding rules and impose penalties. That could prove little comfort to Facebook, since the consent decree it signed specifies penalties of up to $40,000 per violation. With so many users affected, the fines could theoretically run into the trillions.

Two former FTC officials believe the blame lies with Facebook. David Vladeck, the former director of the FTC’s Bureau of Consumer Protection who oversaw the Facebook investigation that led to the 2011 consent decree, expects the new FTC investigation to lead to substantial penalties, and a new, stronger consent decree.

“To this day Facebook cannot ensure people that [their data] isn’t in some server in Russia. That is an utter failure,” says Vladeck, now a professor at Georgetown Law. “Facebook was required to assess these risks and not doing anything to verify [where user data was shared] is just outrageous. They didn’t do any audits, that’s why they didn’t know about Cambridge Analytica until they read about it.”