FTC To Hold Facebook CEO Mark Zuckerberg Liable For Any Future Privacy Violations

Enlarge this image toggle caption Ben Margot/AP Ben Margot/AP

Updated at 12:16 p.m. ET

Facebook CEO Mark Zuckerberg will have to personally answer to federal regulators under an agreement to settle a privacy case with the Federal Trade Commission that includes a $5 billion penalty for the giant social media company, the agency announced Wednesday. Separately, Facebook will pay $100 million to settle a case with the Securities and Exchange Commission for making misleading disclosures about the risk that users' data would be misused, the SEC said.

Under the FTC agreement, Zuckerberg will be required to submit quarterly compliance reports directly to the federal regulators and to Facebook's board of directors. If the Facebook co-founder or "designated compliance officers" violate the agreement, they could be subject to civil and criminal penalties, the FTC said.

"There's no way that the CEO can bury his head in the sand," James Kohm, head of the FTC's enforcement unit, told NPR. "There's no ostrich defense."

According to FTC investigators, Facebook violated the terms of its 2011 settlement with the agency, in which it promised to protect user data from broad sharing with third-party apps. The company also committed new violations, they said.

Kohm described two major incidents in which Facebook effectively lied to users.

First, the company solicited phone numbers, saying they were being collected to verify users' identity if a password needed to be reset. Millions of people trusted the company, and then Facebook took those phone numbers and used them not just for security, but also for advertising purposes, the FTC said.

Also, according to regulators, the company conducted facial recognition tracking on 60 million users without proper consent. Facebook must notify users who were affected and offer to delete the data collected.

In a blog post Wednesday, Facebook said the FTC agreement "is not only about regulators, it's about rebuilding trust with people. ...

"We have heard that words and apologies are not enough and that we need to show action. By resolving both the SEC and the FTC investigations, we hope to close this chapter and turn our focus and resources toward the future," the company said.

In a separate post, Zuckerberg wrote: "We have a responsibility to protect people's privacy. We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry."

In an earnings call earlier this year, Facebook disclosed it was expected to pay a multi-billion-dollar fine to regulators. Following the company's announcement, the stock price jumped. Investors continued to have faith in the business.

The FTC voted 3-2 in favor of the settlement. FTC Commissioner Rohit Chopra, one of the dissenters, said the $5 billion penalty "makes for a good headline, but the terms and conditions, including blanket immunity for Facebook executives and no real restraints on Facebook's business model, do not fix the core problems that led to these violations."

The other "no" vote came from Commissioner Rebecca Kelly Slaughter. She said the settlement doesn't go far enough in deterring the company because it lacks "both meaningful limitations on how Facebook collects, uses, and shares data and public transparency regarding Facebook's data use and order compliance."

Some critics charge the FTC fine is too small, but Kohm said it sends a tough message.

"The idea that $5 billion is a slap on the wrist just doesn't pass the laugh test. It is an enormous amount of profits," he said. "[Facebook] didn't give it up easily. It is way higher than any case in U.S. history other than Deepwater Horizon [the Gulf of Mexico oil spill], where there was massive amounts of harm."

Data privacy harm is less tangible than oil spill harm. But the FTC says the $5 billion is for deterrence — to send a message to other tech companies. Kohm says Facebook fought against it, though the company didn't want to litigate.

The settlement comes as big tech companies such as Facebook, Google and Amazon face increased calls for regulation amid scrutiny over whether they're too big and powerful.

It follows by one day the Justice Department's announcement that its antitrust division is reviewing "whether and how market-leading online platforms have achieved market power and are engaging in practices that have reduced competition, stifled innovation, or otherwise harmed consumers." The department did not say which companies are under review.

The FTC's investigation of Facebook began more than a year ago in the wake of revelations that Cambridge Analytica, a firm that had worked with President Trump's 2016 campaign, had gathered personal data from up to 87 million Facebook users.

Facebook had been in negotiations with the FTC following concerns that the social media giant violated the 2011 consent decree in which it promised to give consumers "clear and prominent notice" when sharing their data with others and to get "express consent."

And on Wednesday, the company settled a case with securities regulators over the Cambridge Analytica matter. The SEC said Facebook "discovered the misuse of its users' information in 2015, but did not correct its existing disclosure for more than two years." Instead, the agency said, "Facebook continued to tell investors that 'our users' data may be improperly accessed, used or disclosed.' "

"Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused," Stephanie Avakian, co-director of the SEC's Enforcement Division, said in a statement. "Public companies must have procedures in place to make accurate disclosures about material business risks."

Facebook told investors in April that it expected to pay a fine of up to $5 billion in a settlement with the FTC. By comparison, the company reported $55.8 billion in revenues and a profit of $22.1 billion last year.

Facebook is one of NPR's financial sponsors.

Zuckerberg faced hours of questioning in congressional hearings in April 2018 over the Cambridge Analytica scandal and how Facebook handled user data. "We didn't take a broad enough view of our responsibility, and that was a big mistake. It was my mistake, and I'm sorry," he told lawmakers.

Days earlier, Facebook Chief Operating Officer Sheryl Sandberg told NPR in an interview: "We really believed in protecting privacy. But we were way too idealistic. We did not think enough about the abuse cases."

In March 2019, Zuckerberg promised to bring encryption and self-destruct features to Messenger and other Facebook apps, in a move meant to signal the company's commitment to privacy.

Facebook denied reports in June 2018 that the company exposed its users' private information to other big tech companies as part of a plan to become ubiquitous on mobile devices.

Earlier this year, several groups that advocate for children's rights and privacy rights asked the FTC to investigate whether Facebook illegally enticed children to spend money on in-game purchases without their parents' consent.

And Facebook's plan to launch a digital currency has drawn skepticism from lawmakers, who cited the company's repeated missteps over privacy.