Facebook's FTC consent decree deal: What you need to know

"Consent decree" was one of the buzzwords in Mark Zuckerberg's testimony this week, but what does it mean? We break down Facebook's 2011 settlement with the FTC.

Marguerite Reardon Former senior reporter

Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.

Marguerite Reardon April 14, 2018 5:00 a.m. PT 5 min read

Mark Zuckerberg, Facebook's 33-year-old multibillionaire CEO, may have schooled Congress in two marathon-length hearings this week during his discussion of the Cambridge Analytica data leak that exposed millions of Facebook users' personal data, but his company isn't out of the woods yet.

Among its biggest concerns is a Federal Trade Commission investigation into whether Facebook violated a 2011 settlement with the government promising to enact reforms to address concerns over how it tracked and shared data about its users. If the company's found to have violated the agreement, it could face penalties of up to $40,000 per user per day, which could in theory add up to billions, if not trillions of dollars.

Zuckerberg came to Washington this week in an attempt to do damage-control following revelations last month that an app developer named Aleksandr Kogan had sold data for as many as 87 million Facebook users to the UK-based political consulting and data mining firm Cambridge Analytica, which had ties to the Trump presidential campaign.

In question is whether Facebook should be on the hook for allowing an app developer to share personal data of millions of Facebook users without their consent, which many experts argue is a violation of its 2011 agreement with the government. The FTC has already opened an investigation into Facebook to determine if the company has been following the terms laid out in the 20-year agreement.

To help you understand what the 2011 FTC consent decree is and why it matters, CNET has put together this FAQ.

What's a 'consent decree'?

It's an agreement or settlement that resolves a legal dispute between two parties without the admission of guilt or liability.

By agreeing to this consent decree in 2011, Facebook didn't admit it had broken the law. But the agreement itself does carry the force of law going forward, which means that if Facebook breaks the terms, it's breaking the law and penalties can be assessed.

What did the consent decree between the FTC and Facebook involve?

In the 2011 complaint, the FTC accused Facebook of breaking its promise to keep its users' data private. Facebook had assured users that third-party applications only had access to data required for them to function. But in fact, applications had access to almost all of a users' personal information.

Under the settlement, Facebook agreed to get consent from users before sharing their data with third parties. It also required Facebook to establish a "comprehensive privacy program" and to have a third-party conduct audits every two years for the next 20 years to certify its program is effective.

Did Facebook violate this consent decree?

The FTC is currently investigating to answer this question. But many experts, including former FTC officials, say it looks like it has. David Vladeck, the former director of the FTC's Bureau of Consumer Protection, who worked on the FTC's enforcement case against Facebook, writes in a Harvard Law Review blog "Facebook's apparent violations … of the decree is troubling." He suggested that even aside from the consent decree, the way Facebook allowed Kogan to harvest user data "plainly violated the Federal Trade Commission Act's prohibition against 'deceptive acts or practices.'"

And then there's the questions of the third-party audits that Facebook was supposed to be doing in order to verify it was protecting user data.

Zuckerberg explained during the hearing that when Facebook discovered Kogan had sold the data to Cambridge Analytica, the company asked the firm to delete the information. But Facebook didn't verify that it had actually done that. The company also didn't notify users that their data had been shared without their permission. Vladeck said that's a blatant violation of the consent decree.

"It doesn't appear that Facebook had even the most basic compliance framework to safeguard access to user data," he said in his blog post. "It is entirely predictable that if app developers are not held to their promises about data collection and sharing, they might not be candid with Facebook about their intentions. Yet it seems that Facebook made no effort to establish the bona fides of developers, much less verify or audit what user data app developers actually harvested and shared."

Does Facebook think it has violated the consent decree?

No. Zuckerberg told Congress this week that Facebook didn't willingly share data with Cambridge Analytica without users' consent. Instead, the company argues that Kogan deceived the company by saying the data was collected for "academic research," and then improperly sold the data to Cambridge Analytica and other firms.

In other words, Facebook users gave their consent when they signed on to the app, and its system acted as it should. But it was Kogan who violated the company's terms when he sold the information to Cambridge Analytica. As for all the friends of people who used the app and whose data Kogan was able to suck up through his app presumably without their permission, Zuckerberg said Facebook hasn't allowed app developers to get access to friends' data since 2014.

Zuckerberg at one point explicitly said he didn't think Facebook had violated the consent decree.

So it came up a lot during the testimony?

Oh, yeah. But if Zuckerberg's comments are any indication of how closely the company has followed the agreement, Facebook could be in trouble. On several occasions, he made it clear that he didn't know key details of the agreement.

He told Rep. Mike Doyle, a Democrat from Pennsylvania, that he was "not familiar with all of the things the FTC said."

Zuckerberg also had difficulty answering questions about how long it takes Facebook to delete user data from its servers as well as questions about why the company didn't inform the FTC or its users when it discovered the mishandling of the data in 2015. All of these issues are covered under the consent decree.

When pressed by Rep. Diana DeGette, a Democrat from Colorado, about whether Facebook paid a fine as part of its settlement with the FTC, Zuckerberg replied: "Congresswoman, I don't remember if we had a financial penalty."

"You're the CEO of the company, you entered into a consent decree and you don't remember if you had a financial penalty?" she asked.

Wait, so does Facebook pay a penalty as part of the original consent decree?

No. As DeGette informed Zuckerberg during the hearing when he couldn't answer whether the company paid a penalty, the FTC cannot levy a fine for a company's first offense.

What's the possible penalty now?

The agency could fine Facebook up to $40,000 per violation per day. With 87 millions users involved, the social media giant could be looking at a fine that theoretically reaches into trillions of dollars.

But experts say the agency is unlikely to levy such a hefty penalty. After all, the goal isn't to put Facebook out of business. That said, the fine will have to be large enough to deter Facebook and other companies from being so lackadaisical about protecting consumer data.

"I'd be shocked if the FTC didn't fine them," said Ernesto Falcon, legislative counsel with the Electronic Frontier Foundation. "But if it's going to mean anything, they have to feel it. It can't be a fee that's easily absorbed and that Facebook can treat as though its business as usual."

When will this be wrapped up?

It could take years for the FTC to complete its investigation.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.