Zuckerberg's visit to Capitol Hill was the culmination of months of controversy over a number of issues for Facebook, including the spread of misinformation, hate speech and fake accounts on its platform. But the last straw came after news broke that Cambridge Analytica (CA), a political-consulting firm with ties to the Trump campaign, had misused the private information of as many as 87 million Facebook users. The CEO's apology tour actually began last week, with a series of press interviews and updates to the company's privacy policy. Zuckerberg said he was sorry and that Facebook's recent mishaps were his mistake, and he echoed those sentiments in his testimony before the Senate Commerce and Judiciary Committees as well as the House Energy and Commerce Committee.

Some members of Congress who questioned Zuckerberg, such as Sen. Richard Blumenthal (D-CT) Rep. Mike Doyle (D-PA), believe Facebook may have violated a settlement it reached with the Federal Trade Commission in 2011. That decree accused Facebook of deceiving consumers by "telling them they could keep their information private and then repeatedly allowing it to be shared and made public" and, as a result, the company would be "barred from making misrepresentations about the privacy or security of consumers' personal information," among other things.

We now know that Facebook learned about the Cambridge Analytica incident in 2015, but it wasn't until last month that it disclosed what it described as a "breach of trust" by the consulting firm. And that was seemingly only because it learned that The New York Times and The Guardian were about the break the story. It also took Facebook more than two years to notify users whose data were affected, which it just started doing this week. Zuckerberg was asked if he was involved in the decision to not contact the users when the company became aware of the issue, and he said he didn't know if there "were any conversations at Facebook overall because I wasn't in a lot of them."

While there's a chance Facebook did violate its privacy deal with the FTC (Zuckerberg said he doesn't believe that to be the case), the company won't face any financial penalties regardless. The main issue is that the FTC, the primary body overseeing Facebook, doesn't have strong enforcement powers. Even if the FTC does find that Facebook violated its 2011 agreement, the agency can't impose fines because it would be considered a first-time violation. When you take into account that the company raked in a record $12.97 billion in revenue last quarter, most of which came from advertising, it can definitely afford to be held accountable for protecting people's data.

"We continue to have these abuses and these data breaches, but, at the same time, it doesn't seem like future activities are prevented."

"We've been relying on self-regulation in your industry for the most part, and we're trying to explore what we can do to prevent further breaches," said Rep. Diana DeGette (D-CO) on Wednesday. "We continue to have these abuses and these data breaches, but at the same time it doesn't seem like future activities are prevented. And so I think one of the things that we need to look at in the future, as we work with you and others in the industry, is putting really robust penalties in place in case of improper actions." Zuckerberg said that it's likely Facebook will find that other apps abused user data like Cambridge Analytica, and promised to notify users quickly if that ends up being the case.

The idea of tougher regulation for Facebook (and other tech companies) seems to have bipartisan support, based on statements made by multiple members of Congress. Sen. Amy Klobuchar (D-MN) asked Zuckerberg if he would support a rule to notify users of a data breach within 72 hours, which he said he wouldn't be opposed to. That would be a huge shift for his company, considering that it took it more than two years to disclose the what happened with Cambridge Analytica.