Facebook just got clobbered with a record $5 billion penalty over the Cambridge Analytica data breach

• The Federal Trade Commission just slammed Facebook with a record $5 billion penalty over its handling of user data following the giant Cambridge Analytica breach last year.
• The FTC settlement also requires Facebook to make sweeping changes to its privacy practices and submit itself to more independent scrutiny than ever before.
• Under the settlement, Facebook must establish a board-level independent privacy committee and designate “compliance officers,” who will be held accountable for the firm’s privacy standards.
• Separately, the Department of Justice is suing Facebook over accusations the company “repeatedly used deceptive disclosures and settings to undermine users’ privacy.”

The Federal Trade Commission on Wednesday announced it had slapped Facebook with a $5 billion penalty over the company’s handling of user data, which came to light after the Cambridge Analytica scandal.

The settlement comes after the FTC accused Facebook of violating a 2012 agreement with the commission in which it promised not to hand over user data to third parties without consent.

It represents the biggest penalty the FTC has handed down to a technology company, with the regulator calling it “unprecedented.”

“The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide,” the FTC said in a press statement.

Facebook must make sweeping changes to its privacy standards

As well as the penalty, a wider settlement requires Facebook to make sweeping changes to its privacy practices and submit itself to more independent scrutiny than ever before.

Facebook will be required to restructure its board of directors, mandating an independent privacy committee. The FTC said this committee would remove CEO Mark Zuckerberg’s “unfettered control” over user privacy and would be responsible for appointing “compliance officers” to Facebook’s privacy program. These officers will be held accountable for the firm’s privacy standards.

Members of the new committee must be appointed by an “independent nominating committee” and can be fired only by a “supermajority” of Facebook’s board of directors.

Facebook’s vice president of product partnerships, Ime Archibong,wrote in a blog post that the restructuring would mean a “fundamental shift in the way we work.”

“Under the new framework required by the FTC, we’ll be accountable and transparent about fixing old products that don’t work the way they should and building new products to a higher standard,” Archibong wrote.

The FTC also included a list of six new privacy requirements it’s imposing on Facebook. These are:

• Increased oversight of third-party apps.
• A ban on taking users’ phone numbers for security purposes and then using them for advertising (which it admitted to doing last year).
• Clearly alerting users and getting affirmative consent before using facial recognition.
• Establishing and maintaining a new and comprehensive data-security program.
• Encrypting user passwords and regularly scanning to see whether any passwords are being kept in vulnerable, plain-text format (as was discovered in March of this year).
• A ban on asking for email passwords to other services when users sign up to Facebook.

In a post on Facebook, Zuckerberg said the company had asked one of its “most experienced product leaders” to take on a new role as chief privacy officer for products. He did not name the person.

“Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we’re taking to mitigate them,” Zuckerberg said. “We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward.”