The Federal Trade Commission finally unveiled details Wednesday of a long-awaited settlement with Facebook Inc. for violating an order to protect users' privacy, aiming to impose sweeping changes to how the social-media giant operates.
But the deal doesn't actually require many changes to Facebook's business. The company will be able to make product decisions as it always has, and will also still be able to collect the same data from users. For the most part, Facebook will be able to continue targeting ads in the same way it does today.
The FTC, which fined Facebook a record $5 billion, said the company must submit to 20 years of oversight from an independent committee on the board. During that time, any violations could result in more fines and punishments, and Chief Executive Officer Mark Zuckerberg could be held personally responsible for future infractions. He'll be asked to certify annually that Facebook is complying with the agreement, and "any false certification will subject [him] to individual civil and criminal penalties," according to a statement from the FTC.
The agreement doesn't do much to threaten Facebook's ability to generate advertising revenue, however. For the company's data-hungry business model, "20 years of oversight is not that big of a deal," according to Mark Zgutowicz, an analyst at Rosenblatt Securities. "For advertisers, Instagram and Facebook are killing it. They can't be beat. I don't see much of a change in that dynamic."
FTC Commissioner Rohit Chopra, who voted against the settlement, agrees. It "imposes no meaningful changes to the company's structure or financial incentives, which led to these violations," he wrote in his dissenting statement. "Instead, the order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail."
Facebook said the agreement "will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we've done in the past." Facebook said it hopes the agreement, which requires greater accountability than is currently required under U.S. law, will be "a model for the industry."
The shares slid 1.5 percent to $199.30 in New York.
The FTC says its order "overhauls the way the company makes privacy decisions." But it doesn't add any significant new items for the company to fix, and many of the broad stipulations in the settlement require Facebook to do things the company is already doing or has promised to do. A few examples:
--"Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy."Facebook said in May 2018 that its privacy team already reviews all of its products to ensure they meet the company's policies. Facebook even announced a new product division last year specifically designed to build privacy features. The idea was to ensure "privacy is built into our products from the outset."
--"Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook's platform policies or fail to justify their need for specific user data." There have always been rules in place for developers who use Facebook's software plug-ins, called APIs -- the company just hasn't always enforced them. In the spring of 2018 following the Cambridge Analytica scandal, Facebook eliminated a number of third party APIs that gave developers access to user data, and also cut down on the amount of user data existing APIs could share. The company also created stricter guidelines to decide which developers could continue to collect data from Facebook users.
--"Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users." Facebook already has a setting where users can opt-out of the facial recognition feature, and changed the setting to a simple "off/on" distinction in 2017. (It made the change while also expanding the use of facial recognition software, claiming it would increase user privacy.) The company also has a facial recognition "help" page that explains how the technology is used. It's unclear what, if anything, Facebook will need to do in order to be more "clear and conspicuous" for users than it already is.
--"Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext." Facebook security procedures already require that the company encrypt user passwords, though it was learned in March that hundreds of millions of passwords had accidentally been stored incorrectly.
For Facebook's entire history, the company has reacted to data breaches and privacy failures as they surface. The company apologises and promises to do better. The new FTC order likely won't change that pattern -- it will just increase oversight of the problem.
© 2019 Bloomberg LP