In a meeting with Facebook employees last week about the company’s record $5 billion settlement with the Federal Trade Commission, CEO Mark Zuckerberg said forthcoming changes to its privacy practices were in line with his belief that companies should protect users’ data.
“I’ve said a number of times in the past that I believe that companies should be held accountable on privacy,” Zuckerberg said, a reference to comments he made earlier this year. “And this is what accountability looks like.”
Zuckerberg wasn’t the only Facebook executive to share a similar sentiment—Colin Stretch, vp and general counsel, said in a statement the agreement would “require a fundamental shift” in Facebook’s approach to privacy, but that he was hopeful the settlement would “be a model for the industry” from an accountability standpoint.
So what is that model? The FTC settlement, which stemmed from what Facebook told users about their privacy controls and how it addressed lapses, requires the social network to establish a panel within its board of directors to monitor its privacy practices. Three compliance officials, along with Zuckerberg himself, will be required to certify that the company is protecting users’ data every quarter, or face civil and even criminal penalties. Facebook will have to submit new products to privacy reviews and document information about data breaches, and the FTC can request documents and use discovery tools to monitor compliance.
Here’s what that “model for the industry” is not: Facebook did not have to admit wrongdoing. No executives faced penalties for its privacy violations. The extent of the civil and criminal penalties isn’t defined, mitigating the threat of potential legal action.
The company and its executives received sweeping immunity from any additional privacy violations between 2012 and 2018, including potential violations that haven’t been discovered yet. The FTC also did not place any limits on Facebook’s collection or use of user data itself. And while the fine is a record in terms of the sheer size of the penalty, it represents less than 10% of Facebook’s annual revenue.
In a statement, FTC chairman Joe Simons said the settlement “is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.” At a subsequent press conference, Simons said the FTC chose to pursue the fine rather than years of litigation that could lead to a less fruitful outcome. James Kohm, head of the FTC’s enforcement unit, told NPR the terms mean “there’s no way that the CEO can bury his head in the sand” about the company’s privacy practices in the future.
But not everyone is convinced. There’s widespread concern the settlement doesn’t go far enough in holding executives responsible for past transgressions, and represents a missed opportunity for addressing broader concerns about Facebook’s conduct. Rohit Chopra, one of two FTC commissioners who did not approve of the settlement, said the ruling let Facebook off easy.
“Breaking the law has to be riskier than following it,” Chopra wrote in a fiery dissent. “The settlement’s $5 billion penalty makes for a good headline, but the terms and conditions, including blanket immunity for Facebook executives and no real restraints on Facebook’s business model, do not fix the core problems that led to these violations.”
Many Democratic and Republican lawmakers also criticized the settlement for falling short, joined by consumer advocacy groups.
“This settlement doesn’t even come close to preventing such violations from occurring again,” said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union. “It fails to put strong and meaningful limits on how Facebook collects, uses and processes user data. It holds no executive personally liable for years of privacy violations and misleading statements made by the company.”