SAN FRANCISCO — Facebook was ordered Wednesday to create new layers of oversight for its collection and handling of users’ data by the Federal Trade Commission (FTC), as the agency detailed a privacy settlement with the social-network company that became a referendum on how aggressive U.S. regulators would be against big tech companies.

Under the agreement, the FTC mandated that the Silicon Valley company add new positions and practices to increase the transparency and accountability of how it treats people’s information. The agency also formally imposed a record $5 billion fine against Facebook for deceiving users about their ability to control the privacy of their personal data.

[Related: Facebook says it is under antitrust investigation by the Federal Trade Commission]

Yet the measures, which the FTC’s commissioners approved in a 3-2 vote this month, drew sharp criticism for not going far enough in curbing the data habits of the world’s largest social-media company. Republican and Democratic lawmakers pilloried the settlement as a drop in the bucket for Facebook and said the FTC failed to limit a core practice that has repeatedly raised privacy questions: the company’s gathering, sharing and use of people’s personal information.

That puts U.S. regulators in a difficult position as authorities around the world have stepped up their actions to crimp the power of tech companies like Facebook, Google, Amazon and Apple. Over the past few years, the United States has been seen as a lesser force in tech regulation, especially compared with European officials who have passed laws and imposed a series of large penalties against the tech giants.

The FTC agreement “utterly fails to penalize Facebook in any effective way,” said Sen. Josh Hawley, R-Mo.


Sen. Ron Wyden, D-Ore., who is pushing for new federal privacy laws, said the settlement would not deter Facebook from further privacy violations.

“The FTC is sending the message that wealthy executives and massive corporations can rampantly violate Americans’ privacy and lie about how our personal information is used and abused and get off with no meaningful consequences,” he said.

Within the FTC, the settlement was divisive, with the agency’s three Republican commissioners voting to approve the deal while the two Democratic commissioners dissented. The agreement stopped short of more punitive measures that the FTC had previously discussed against Facebook, including holding Chief Executive Mark Zuckerberg personally liable for missteps and potentially taking the company to court. The fine was also a fraction of Facebook’s $56 billion in annual revenue.

The agency also agreed the settlement would shield Facebook from known claims of violations before June 12, 2019, essentially giving the company a pass on its past. And it provided immunity to Facebook officers and directors.

In a statement, the FTC’s Republican commissioners — including the chairman, Joseph Simons — said they were “proud” of the agreement. The measures “will provide significant deterrence not just to Facebook, but to every other company that collects or uses consumer data,” they said.

The FTC’s two Democratic commissioners disagreed. “I fear it leaves the American public vulnerable,” said Rebecca Kelly Slaughter.


Rohit Chopra, another Democratic commissioner, warned that the terms of the settlement shielded Facebook from a wide range of problematic practices. “This shield represents a major win for Facebook, but leaves the public in the dark as to how the company violated the law and what violations, if any, are going unaddressed,” he said.

Zuckerberg said in a Facebook post that the FTC’s orders “go beyond anything required under U.S. law today.” He added that he supported the agreement because it would “reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.”

For Facebook, the FTC settlement does not end its regulatory and legal headaches.

The Securities and Exchange Commission (SEC) said Wednesday that it had imposed a penalty of $100 million against Facebook for making misleading disclosures to investors about the risks of misuse of user data. The agency charged that Facebook had known for two years about the misuse of users’ data — and had shared that information with company employees — yet misleadingly presented those risks to investors as merely hypothetical.

Around the world, Facebook faces other fights. Authorities in Europe and elsewhere are lining up to probe and limit tech companies on issues including privacy, antitrust and harmful content such as disinformation and hate speech.

The FTC’s investigation of Facebook for privacy violations was prompted by a report from The New York Times and The Observer of London last year on how the social network allowed Cambridge Analytica, a British consulting firm to the Trump campaign, to harvest the personal information of its users. Cambridge Analytica used the data to build profiles of American voters without the consent of Facebook users.


The FTC began examining whether the Cambridge Analytica scandal meant that Facebook had violated a 2011 privacy settlement with the agency. Under that earlier agreement, the company had agreed not to deceive people over how their information was used and shared.

On Wednesday, the FTC said it had also agreed to settle with Cambridge Analytica’s former chief executive, Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, to restrict how they did business in the future.

With Facebook, the FTC mandated the social network create an independently appointed privacy committee on its board that would review decisions affecting user privacy. The agency also ordered the company to designate compliance officers to oversee a privacy program, undergo regular privacy audits that Zuckerberg and others must submit to, and appoint an outside assessor to monitor the handling of data.