Regulator Fines Facebook $5 Billion, Forces Board Oversight on Privacy

Federal Trade Commission Settlement Echoes Shareholder Concerns 

July 24, 2019 

The U.S. Federal Trade Commission (FTC) today announced details of a long-awaited settlement with Facebook for multiple consumer privacy violations, forcing the company to pay a record-breaking $5 billion fine and adopt “a modified corporate structure,” including establishment of an independent board of directors committee to oversee the company’s handling of user data.

The FTC action includes steps long-proposed by shareholders who have pressed the company to make privacy concerns a governance priority, and to shift corporate governance structures to avoid the significant legal, reputational and financial risks associated with Facebook’s current business model.

“While the establishment of board-level privacy oversight is an important step forward, it should not have taken a $5 billion penalty and a 16-month investigation for Facebook to begin to address its systemic recklessness around consumer privacy,” said Michael Connor, Executive Director of Open MIC, which has led much of the shareholder engagement with Facebook. Connor added: “If the company is going to make an authentic shift to instill trust in the public and its shareholders, while avoiding new controversies and fines in the future, the board must confront how Facebook’s business model relies on exploiting consumer privacy.”

Connor said shareholders will continue to push Facebook not only to ensure that its board is equipped to confront privacy challenges, but also to address leadership failures which have enabled such challenges. Facebook’s current “dual-class” shareholder structure gives Mark Zuckerberg control of 60 percent of the company’s voting shares. “When you combine that voting control with Mr. Zuckerberg’s ongoing roles as both Chairman and CEO, you have an extraordinary and unhealthy consolidation of power in one person,” Connor said.

(Shortly after the FTC announcement, the Securities and Exchange Commission said it filed charges against Facebook for “making misleading disclosures regarding the risk of misuse of Facebook user data.” Facebook agreed to pay $100 million to settle the charges.)

The FTC said its settlement “establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.”

In addition, the FTC said, “Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO orFacebook employees. Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.”

At Facebook’s 2019 annual meeting held in May, independent shareholders - i.e., those other than Mr. Zuckerberg - expressed their lack of confidence in the board’s current structure by voting overwhelmingly (68%) to separate the role of Board Chair and CEO, and by withholding support from a number of directors, with 27% voting against COO Sheryl Sandberg as a member of the board, a full third of independent shareholders (33%) voting against Mark Zuckerberg and lead director Susan Desmond-Hellmann, and 38% voting against board member Marc Andreessen. 

In 2018, shortly after nearly 50% of independent shareholders supported a proposal to establish a board-level Risk Committee, Facebook quietly changed the charter of one of the board’s key committees, renaming the committee to include Risk Oversight, and broadening its mission to include oversight of issues that have placed the social media platform at the center of global controversy, including privacy, data use, community safety and cybersecurity. 

The latest FTC investigation was prompted by Facebook’s mishandling of users’ personal data in the so-called Cambridge Analytica scandal, which violated a prior FTC consent decree that required the company to not share the data beyond established privacy settings without obtaining users’ express consent. 

However, the FTC settlement cited additional privacy violations by Facebook, including misleading users who provided their telephone numbers to the company for a security feature called two-factor authentication. Those telephone numbers were instead often used by Facebook advertisers to help target ads to specific users, the FTC said.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.

While Facebook’s $5 billion fine has already been criticized by some as not tough enough, it is the largest in the history of the FTC, easily surpassing a $22.5 million fine against Google in 2012. The $5 billion represents approximately 9 percent of Facebook’s 2018 revenue. By comparison, the European Union’s General Data Protection Regulation (GDPR) imposes a maximum fine equal to 4 percent of global revenue for compliance violations.