After months of speculation, Facebook and the Federal Trade Commission agreed to a $5 billion fine for privacy violations, as well as new oversight on how the company handles user data.
The fine is the largest the FTC has ever levied on a tech company and to the disappointment of some, CEO Mark Zuckerberg is only being held personally responsible in a limited fashion.
As part of the agency's settlement with Facebook, Zuckerberg will have to personally certify his company's compliance with its privacy programs. The FTC said that false certifications could expose him to civil or criminal penalties.
Facebook also does not admit any wrongdoing as part of the settlement.
In a statement posted to the FTC's website, FTC Chairman Joe Simons said the Zuckerberg-led company "undermined consumer choices and the fine is being used not only to punish past violations, but future ones as well.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” Simons said in the statement. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
Three Republican commissioners voted for the fine while two Democrats opposed it. "The proposed settlement does little to change the business model or practices that led to the recidivism," wrote Commissioner Rohit Chopra in his dissenting statement.
Chopra added the settlement imposes "no meaningful changes" to the company's structure or business model. "Nor does it include any restrictions on the company's mass surveillance or advertising tactics."
The money is likely to go to the U.S. Treasury and far surpasses the FTC's previous record for a fine on a tech company, $22.5 million, which it levied upon Google in 2012 for bypassing the privacy controls in Apple's Safari browser.
The largest punishment against a non-tech company was the $14.7 billion fine that was handed out to Volkswagen to settle allegations it cheated on emissions tests and deceived customers.
The FTC investigation, which opened last year, stems from the scandal that data-mining firm Cambridge Analytica took user information from as many as 87 million Facebook users without their permission.
The government agency had also been looking into whether Facebook violated a settlement with government regulators in 2012 after it was determined the social networking giant broke privacy promises to users. That settlement said Facebook required user consent to share personal data that overrode their privacy settings.
Cambridge Analytica eventually shut down as a result of the scandal.
In a statement, Facebook's General Counsel Colin Stretch said the agreement with the FTC would provide new standards for protecting user privacy.
"After months of negotiations, we’ve reached an agreement with the Federal Trade Commission that provides a comprehensive new framework for protecting people’s privacy and the information they give us," Stretch wrote in a blog post.
"The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past," Stretch added.
Zuckerberg said the company has a "responsibility to protect people's privacy," and as part of the deal with the FTC, it will further its efforts.
"As part of this settlement, we're bringing our privacy controls more in line with our financial controls under the Sarbanes-Oxley legislation," Zuckerberg wrote. "Our executives, including me, will have to certify that all of the work we oversee meets our privacy commitments. Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program. We've also asked one of our most experienced product leaders to take on the role of Chief Privacy Officer for Products."
Sources close to the matter said that Zuckerberg will also discuss the changes at a company-wide meeting Wednesday afternoon.
On its first-quarter earnings call in April Facebook told analysts that it estimated the settlement with the FTC to be between $3 billion and $5 billion.
Separately, The Wall Street Journal reported late Tuesday that Facebook would also settle with the Securities and Exchange Commission to close the matter of whether it properly disclosed its privacy practices to investors and pay a fine "larger than $100 million."
The Associated Press contributed to this report.