After more than a year of wrangling, Facebook and the Federal Trade Commission finally agreed to settle an investigation into the social network’s privacy mishaps. The result: Facebook will create a new privacy council, CEO Mark Zuckerberg will be required to certify the company’s behavior, and the social network will have to — we sort of can’t believe we have to write this but we do — encrypt your password.
Oh, yeah. There was also a $5 billion fine, a penalty the FTC called “unprecedented.”
The settlement comes after the FTC looked into whether Facebook should have done more to prevent Cambridge Analytica, a now-defunct consultancy that worked on President Donald Trump’s campaign, from siphoning off the data of up to 87 million users. Specifically, the FTC was concerned that Facebook’s failure to safeguard that data violated an earlier agreement Facebook made to protect user privacy.
On April 23, a federal court approved the settlement between the, which was announced in July.
Here’s all you need to know about the settlement and how it impacts you.
I’m a Facebook user. How do I get some of that $5 billion?
Short answer: You don’t. Longer answer: Facebook users weren’t financially harmed, though being hammered with political ads might seem like it deserves compensation. So no fund is being set up to pay victims. Instead the money will go straight to the US Treasury.
We know that’s disappointing, particularly if you’ve been following the $700 million settlement that Equifax struck after it was hacked. On Monday, the FTC said the 147 million Equifax customers whose data was swiped could claim compensation for costs caused by the security breach, including unauthorized charges to your account and money spent to protect yourself from the threat of identity theft. About $300 million from the settlement will be set aside to pay consumers affected by the hack.
Well, that’s disappointing. What’s this about a new privacy committee?
The agreement requires Facebook to form a privacy committee at the board-of-directors level. The committee will do one thing: oversee privacy at Facebook. And all the members will be independent, meaning their day jobs can’t be at Facebook.
The committee, when it is created, will have a lot of power. It will be able to remove privacy compliance officers, who will be responsible for executing the company’s policies. It will also be able to fire the company’s privacy assessor, a newly created position that will evaluate Facebook’s policies and produce a report every two years. (The committee will need the FTC’s approval to remove the assessor.)
The committee members are also well protected. A member can only be fired without cause by a supermajority of voting shares.
I heard something about a new privacy program at Facebook. What’s that about?
In broad brush, Facebook has to conduct privacy reviews of all new or modified products and services. That could be apps it designs or physical products, like its Portal video chat device. The company has to share written privacy reviews with Zuck (which seems like common sense), as well as the assessor and the FTC, if it wants to have a peek. The privacy program has to include other Facebook services, such as WhatsApp and Instagram.
So Zuck is on the hook?
Yes, for anything that happens in the future. The settlement requires him to certify that Facebook is in compliance with its privacy program every quarter. He could face “civil and criminal penalties” if he doesn’t or gets it wrong. He also isn’t the boss of the independent privacy committee or assessor.
Anything else I need to know about the settlement?
There are some interesting — and scary — loose ends. The social network has to encrypt user passwords, can’t use phone numbers given as part of two-factor authentication for advertising, can’t retain personal information that users deleted on its servers and can’t let employees have free access to user information.
That’s it, right?
As long as you don’t count the controls that are being put in place for facial recognition. Basically it boils down to this: Facebook has to get your permission on facial recognition matters before it does anything.
What comes next?
Facebook is still facing regulatory scrutiny from the FTC and other government agencies. The FTC told the company in June it was investigating the social media giant for antitrust concerns. The Department of Justice also said this week that it’s kicking off an antitrust review into internet giants and how they achieved market power, signaling it would target social media companies like Facebook.