Skip to main content

If you’ve ever wondered what a paradigm shift looks like, you’re witnessing one today. The FTC’s $5 billion civil penalty against Facebook for violations of an earlier FTC order is record-breaking and history-making. In addition, the settlement requires Facebook to implement changes to its privacy practices, its corporate structure, and the role of CEO Mark Zuckerberg that are seismic in scope. Simply put, when it comes to the business of consumer privacy, it’s no longer business as usual at Facebook.

Why the FTC sued Facebook in 2012

In 2012, the FTC charged Facebook with eight separate privacy-related violations, including that the company made deceptive claims about consumers’ ability to control the privacy of their personal data. One specific count alleged that Facebook allowed users to choose settings that supposedly limited access to their information just to “friends” without adequate disclosures that another setting allowed that same information to be shared with the developers of apps those friends used. Put another way, suppose Consumer A restricted access to friends and designated Consumer B as a friend. If Consumer B used a particular app on Facebook – let’s say a game – the game developer could access information about Consumer A, including data designated as private. That was all going on behind the scenes without a clear disclosure to Consumer A and in flagrant disregard of that person’s privacy choices.

To settle that case, Facebook agreed to an order that, among other things: 1) prohibited Facebook from making misrepresentations about the privacy or security of consumers’ information, 2) prohibited Facebook from misrepresenting the extent to which it shares personal data, and 3) required Facebook to implement a reasonable privacy program.

According to the FTC, Facebook flouted that order in multiple ways, and today’s settlement holds them accountable for putting profits over their privacy promises.

How Facebook violated the 2012 FTC order and the FTC Act

Under the 2012 order, Facebook must honor consumers’ privacy choices or face an order enforcement action, which can result in substantial civil penalties not legally available to the FTC in an initial lawsuit. The FTC alleges that since agreeing to that settlement, Facebook repeatedly misrepresented the extent to which users could control the privacy of their data.

FTC Settlement with FacebookYou’ll want to read the new complaint for details, but here are a few examples of how the FTC alleges Facebook violated the order. After agreeing to the 2012 settlement, Facebook launched services with feel-good names like “Privacy Shortcuts” and “Privacy Checkup” that claimed to help users manage their settings and limit who had access to their data. Concerned about their privacy, many consumers used those new tools to limit access just to friends.

But according to the FTC, even if people chose the most restrictive settings those tools allowed, Facebook made consumers’ personal data accessible to companies that developed apps used by consumers’ friends. To name just a few categories, that included the news and books they were reading, their relationship details, their religious and political views, their work history, their photos, and the videos they watched. Facebook did offer a setting to ensure users’ privacy preferences would be honored, but it was hidden away in a place people were unlikely to look. And it wasn’t directly accessible from the very tools the company touted as the way for consumers to “review and edit the privacy of key pieces of information.”

Furthermore, at the 2014 F8 conference – a gathering of companies that build products and services around Facebook – Facebook announced that it was no longer allowing third-party developers to collect data about the friends of app users. However, Facebook was separately telling developers with existing apps on the platform that they could continue to collect friends’ personal data for another year. And even after that period elapsed, Facebook continued to provide certain developers with access to friend data for years to come. The FTC says it took Facebook until at least June 2018 to stop providing access to this data to certain third-party apps.

Another way the FTC says Facebook violated the order was by failing to adequately assess and address privacy risks posed by third-party developers. Other than getting developers to click an “I agree” terms-and-conditions box when registering an app with the Facebook Platform, Facebook didn’t screen developers or their apps before giving them access to massive amounts of data that users had designated as private. Of course, in the wrong hands, information like that can grease the wheels for identity thieves and fraudsters. One particularly troubling charge is that when Facebook learned that app developers were violating Facebook’s terms, Facebook’s enforcement action was often influenced by how much advertising money the app developer spent with Facebook. Just how much user data was improperly disclosed? Facebook’s poor recordkeeping makes that difficult to determine.

According to the complaint, another way Facebook misrepresented the extent to which users could control the privacy of their data related to a form of technology that raises particular concerns for many consumers: facial recognition. In an April 2018 update to its Data Policy, Facebook represented to consumers, “Face recognition: If you have it turned on, we use face recognition technology to recognize you in photos, videos and camera experiences.” The complaint alleges that this statement was deceptive to tens of millions of users who have Facebook’s facial recognition setting, “Tag Suggestions,” because that setting was turned on by default and the updated Data Policy suggested that users would need to opt-in to having facial recognition enabled for their accounts.

In addition, the complaint charges Facebook with a new violation of the FTC Act. You know how Facebook asks users for their mobile phone number to help secure their accounts or reset their passwords? According to the complaint, Facebook didn’t tell people it also used that phone number to serve them with ads.

It boils down to this. In the face of consumers’ intent to limit information-sharing to a select few, Facebook ignored them and shared it broadly. Facebook did that despite its privacy promises, despite consumers’ efforts to protect their privacy, and despite the terms of the 2012 order. Why? To further Facebook’s financial interests.

How the new order will change Facebook’s approach to consumer privacy

The $5 billion civil penalty is the largest ever imposed on a company anywhere for violating consumers privacy. Whats more, the penalty – which, by law, goes to the U.S. Treasury (not the FTC) – is one of the largest penalties ever assessed by the U.S. government for any violation. It’s designed to make all companies – not just Facebook – sit up, take notice, and rethink their practices.

Could the FTC have won a bigger civil penalty by going to court? Probably not. Judges tend to evaluate financial remedies in comparison with cases that have gone before it. That’s why we think the financial settlement is in the public interest. It has the added benefit of establishing a new benchmark when the FTC challenges privacy violations in the future.

The order imposes additional requirements to address Facebook’s illegal conduct. For example, Facebook must implement a stringent program to monitor third-party developers and terminate access to any developer that doesn’t follow the rules. In addition, Facebook can’t use for advertising purposes the phone numbers it obtained specifically for security. When it comes to facial recognition technology, the order requires Facebook to give clear notice of how it uses that information and it must get consumers’ express consent before putting that data to a materially different use. Facebook also will have to encrypt passwords and can’t ask people for their passwords to other services, and must report any privacy incident to the FTC within 30 days. On top of everything Facebook will have to do to protect consumers’ privacy, it also has to implement a comprehensive data security program. Another important consideration: These new accountability provisions don’t just apply to Facebook. They also apply to companies Facebook controls, like Instagram, WhatsApp, and other Facebook-owned affiliates that it shares consumers’ information with between now and 2039.

But don’t let a focus on the record-setting financial and conduct remedies distract from just how monumental a change the order imposes on Facebook’s privacy ecosystem and CEO Mark Zuckerberg’s job description. The order explains in detail a new system of independent control, multi-layer accountability, and personal responsibility over Facebook’s practices, and substantially limits Mr. Zuckerberg’s unfettered say in privacy decisions. In fact, for the next 20 years, anytime Facebook makes a privacy decision, multiple independent watchdogs will be looking over its shoulder. You’ll want to read the order in depth, but here are some highlights of ways that business is about to change at Facebook.

New Facebook Privacy Compliance SystemWho will oversee privacy at Facebook? An Independent Privacy Committee. Facebook’s Board of Directors will name a new subgroup that will serve as an Independent Privacy Committee. Facebook officers and employees – including Mr. Zuckerberg – are disqualified from membership. The Committee will be briefed about all material privacy risks and issues at the company, and has approval-and-removal authority over a new cadre of designated compliance officers and a third-party assessor that will not answer to Facebook. (More about them in a moment.)

Who will carry out Facebook’s day-to-day privacy program? Designated compliance officers. Expert compliance officers, who must be approved by the Independent Privacy Committee, will implement and maintain Facebook’s privacy program. The compliance officers will be responsible for documenting every material privacy decision in detail. They’ll provide that documentation quarterly to the third-party assessor and CEO Zuckerberg. They also will have to certify quarterly to the FTC that Facebook is complying fully with the privacy program. If that’s not the case, the compliance officers will throw a flag that triggers even closer FTC scrutiny. In addition, the independent assessor will meet with the Independent Privacy Committee four times a year outside the presence of Facebook officers and employees. What if Facebook doesn’t like what the compliance officers are doing? Tough. Only the Independent Privacy Committee can remove them from the job.

Who else will be watching Facebook? A third-party assessor with broad monitoring powers. The assessor – who must be appointed with FTC approval – will provide an independent evaluation of Facebook’s privacy practices every two years. The order mandates that the assessor must subject Facebook to substantial scrutiny and can’t just take management’s word for what’s happening. In effect, the assessor must kick the tires, look under the hood, put it up on the lift, conduct diagnostics, and take it for a test drive. And again, Facebook will not be able to remove the assessor on its own.

How much of a role will CEO Mark Zuckerberg play in making final privacy decisions for the company? Substantially less, but he’ll have much more on the line personally. Mr. Zuckerberg will get a copy of Facebook’s written privacy program and quarterly reports of privacy decisions. But he does not control the Independent Privacy Committee, the designated compliance officers, or the third-party assessor. However, the order does impose a major requirement on him. Facebook’s CEO must certify quarterly to the FTC that the company’s privacy program complies with the order. A false certification could trigger civil or even criminal penalties.

How much access will the FTC have to Facebook’s privacy decisions? An unprecedented amount. The order gives the FTC unparalleled access to Facebook’s decision-making. Upon request, the FTC will get written documentation of every privacy decision Facebook makes and copies of the third-party assessor’s reports. (Remember that the FTC has to approve who gets hired as the assessor.) The order also includes tools that slice through any red tape that could have hindered the FTC’s ability to get records, conduct interviews, or take other steps to monitor Facebook’s compliance.

The goal of the FTC’s settlement is the creation of a new culture at Facebook where the company finally lives up to the privacy promises it has made to the millions of American consumers who use its platform.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

July 24, 2019
how will the FTC’s $5 billion civil penalty against Facebook be used ?
FTC Staff
July 24, 2019

In reply to by Carla

The penalty, by law, goes to the U.S. Treasury, not the FTC. It is one of the largest penalties ever assessed by the U.S. government for any violation.

Robin R Carlin
August 13, 2019

In reply to by Carla

The penalty money should be used for compsate the client .Facebook clients, on the trouble they cost to us, and I'm one of them. we should get compensated . I was not able to accomplish my goal about my developers information. I put in 12 years of work just for Facebook to violate our privacy by not controlling our privacy on the internet! that is life threatening to me, and I'm supposed to monetize my app, which is the fastest chrome, which has been hacked ,breached, all of the above, I need to be compensated for that, and so does everyone else. We have lost by them selling our information to consumers,they made a lot of money by doing that.
July 24, 2019
And does the fine go to the users whose privacies were violated?
FTC Staff
July 24, 2019

In reply to by Jamie

The penalty, by law, goes to the U.S. Treasury, not the FTC. It is one of the largest penalties ever assessed by the U.S. government for any violation.

Bill Brigham
July 24, 2019
Facebook engaged in massive criminal fraud and other crimes for almost a decade. Despite acting as a criminal enterprise, FB and Zuckerberg have not faced criminal charges. The injunction only orders them ... yet again ... to stop their criminal acts. And the fine, for a criminal organization of FB's size, is just a 'slap on the wrist.' Why no meaningful fines? And why no criminal charges. Among others, there is obvious mail fraud 18 USC 1341; false representation 39 USC 3005; criminal privacy violations; state and federal frauds of many sorts; violation of right of publicity laws, and much more.
Thomas W Otte
July 28, 2019
So what does this mean to the millions on Facebook?
August 13, 2019
I have been violated by Facebook repeatedly over and over and over there is record still in their systems and I hold some information on some of my other phones and I'm still being violated by consumers calling me from every area I can't make one phone call or send an email to someone because they've already got my information and they call me constantly acting is there somebody else related to that company that I've contacted
August 21, 2019
If deactivate and delete all my social account will get my life back please deleting everything about me...everybody just playing with my life...hopefully GOD will take me soon...
October 06, 2021

In reply to by RIZUAN BIN A R…

I am sorry you are going through that. You could try deleting all your social media and then if you choose to do a couple again then make sure your privacy settings are good. I hope that this helps you
Sean C
September 19, 2019
Do corporate structures where founders hold a majority of the votes no matter their economic share (such as Facebook or Google) reduce accountability, ultimately leading to abuses like this?
September 23, 2019
"Facebook was separately telling developers with existing apps on the platform" .. you know, their friends. This act, repeatedly deployed, has perverted our marketplace of ideas and fair competition, providing certain messages, and voices to find access to opportunities that were being led by their true leaders authentically. Our country has been robbed of its true leaders, and in their place we have been manipulated by a social graph, that has selected a victorious structure of "friends" with whom special information was shared and leveraged, both personally, and using the vast wealth of Facebook. It is not enough to just fine Facebook. The nature of the offense must be considered by balanced and judicious minds, and the nature of the perversion must be taken account of in considering the real harm that Facebook's existence has endeavored upon. The personal details of peoples lives, their intimate real time and ancestral connections, their mental conditions and living circumstances are now under the data control of a single service provider, incorporated in the UNITED STATES OF AMERICA, using the legal identifier of its citizenry to affect its marketplace, its politics, its elections, and its very soul as a civilization, self led.
November 24, 2019
They blocked my postings till dec 1 2019 ..... So sad .. they seeing our privacy information etc
Belinda Griffin
July 16, 2020

In reply to by Guest

I been hacked, scammed, breached, and violated by users exposing on facebook. I am a victim. I need these scammers caught and prosecuted, and jailed. I want and need my money back and also, compensated for that and everyone else. They selling ourinformation to consumers; they are making money doing that. Facebook allowing users to hack and scam ours accounts and breached our information.. I need this to stop. I am being harass over and over by calling me and sending messeges. I send a complaint to facebook techical support I have not herard anything from them. And I blocked them; they still finding a way to contact me. I need help fast.

Get Business Blog updates