Facebook CEO Mark Zuckerberg will have to certify to the FTC, every three months, that users’ privacy remains protected on the platform, failing which he might face civil and criminal penalties – this is one of the key takeaways from the FTC settlement which was formally announced yesterday. This settlement marks the end of FTC’s year long probe into Facebook that began in March 2018 over the company’s involvement in the Cambridge Analytica scandal.

What the settlement entails

  • Facebook will pay the FTC a fine of $5 billion (read peanuts).
  • An independent privacy committee of Facebook’s board of directors will be established, removing unfettered control by  CEO Mark Zuckerberg over decisions affecting user privacy.
    • Members of the privacy committee will be independent and appointed by an independent nominating committee. They can only be fired by a supermajority of the Facebook board of directors.
  • Compliance officers will be designated and will be responsible for Facebook’s privacy program. These officers will be subject to the approval of the new board privacy committee and can be removed only by that committee — not by Facebook’s CEO or Facebook employees.
  • Greater oversight over third-party apps should be exercised by Facebook, including by terminating app developers that fail to in compliance with the company’s platform policies or fail to justify their need for specific user data.
  • Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising.
  • Clear and conspicuous notice of its use of facial recognition technology should be provided by Facebook.
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext.
  • Facebook  can’t ask for email passwords to other services when consumers sign up for its services.

Why this settlement looks like a missed opportunity

While the $5 billion fine will mark the largest civil penalty ever paid to the FTC, several people have highlighted that this will hardly ruffle Facebook’s feathers. In fact, Congressmen — both Republican and Democrat — have told the FTC that a $5 billion penalty was too little and that Mark Zuckerberg should personally be held responsible.

Although this investigation went on for a little more than a month, there was never much clarity into what exactly the FTC was looking at. There were hardly any reports that suggested the FTC was grilling Facebook executives, including Zuckerberg himself over the entire course of this investigation. In fact, we reported that certain emails hinted at Zuckerberg having prior knowledge of some of the problematic privacy practices.

If there arises an understanding that Zuckerberg might have been let go off a bit too easily, it wouldn’t be unwarranted for. After all, he wrote last year that he “started Facebook” and is “responsible” for what happens on the platform. The FTC could’ve set an example by penalising Zuckerberg more than just certifying for users’ privacy every three months.