U.S. regulators fined Facebook a record $5 billion penalty to settle claims that the company deceived its users about the privacy of their personal information in the fallout from the Cambridge Analytica scandal, while Facebook conceded that the episode represented a “breach of trust” with its users.
As part of the agreement, Facebook has agreed to set up an independent privacy committee, which regulators said would remove Facebook’s CEO Mark Zuckerberg’s “unfettered control” over decisions that affect user privacy.
Regulators also announced the government was suing Cambridge Analytica, the now-bankrupt data analytics company that harvested the personal data from as many as 87 million users in the run-up to the 2016 U.S. presidential election, and had reached settlements with two of its key players.
The payment is a fraction of Facebook's annual revenue of $56 billion.
“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” Joe Simons, the chairman of the Federal Trade Commission (FTC), said in a statement. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC."
"The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations,” Simons said. “The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”
Facebook’s lawyer Colin Stretch wrote in a statement that Facebook's "handling of this matter was a breach of trust between Facebook and the people who depend on us to protect their data."
"After months of negotiations, we’ve reached an agreement with the Federal Trade Commission that provides a comprehensive new framework for protecting people’s privacy and the information they give us," he wrote.
Two dissenting members of the five-member, Republican-controlled regulatory commission wrote that they did not think the settlement went far enough. The deal "places no meaningful restrictions on Facebook’s ability to collect, share, and use personal information," Commissioner Rohit Chopra, a Democrat, wrote in a dissenting opinion.
"Instead, the order allows Facebook to evaluate for itself what level of user privacy is appropriate, and holds the company accountable only for producing those evaluations. What it does not require is actually respecting user privacy,” he wrote.
Commissioner Rebecca Kelly Slaughter, also a Democrat, wrote that the FTC should have “initiated litigation” against Facebook and Zuckerberg. Other critics agreed.
"This is a $5 billion get out of jail card," the FTC's former chief technologist Ashkan Soltani told ABC News, noting that the settlement, in which his former agency indemnifies Facebook for "any and all claims prior to June 12, 2019," is "really unusual."
"Facebook doesn't have to admit guilt; they're indemnified for past behavior," Soltani said.
As part of the deal, the social media leviathan agreed to a 20-year settlement order that included "an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy," the FTC statement said.
Facebook will also be required to appoint compliance officers -- approved by the independent privacy committee -- to monitor its privacy programs, which must be re-certified several times a year to prove the company stays faithful to its promises. Zuckerberg will also submit regular privacy protocols to the FTC and face civil and criminal penalties if he is found to give false statements.
The FTC order also covers WhatsApp and Instagram, which are owned by Facebook, and requires that Facebook "conduct a privacy review of every new or modified product, service, or practice before it is implemented.
Any decisions about user privacy, instances where the data of 500 or more users has been compromised and Facebook’s response to such an event will need to be reported within 30 days, the agreement said. That is in line with controls put in place by European regulators, which have been stricter in their positions related to the use of personal data. Facebook must also increase monitoring of the data collection of third-party apps.
In the FTC’s separate action against Cambridge Analytica, the regulator alleged that the company had used "deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting," according to a separate statement from the FTC.
It also announced it had settled with its former CEO, Alexander Nix, and an app developer, Aleksandr Kogan, and that both had agreed to restrict their future business as well as "to delete or destroy any personal information they collected," according to the FTC statement.
The FTC alleged that Cambridge Analytica, Nix, and Kogan "deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data."
The app, which was created by Kogan, asked personality questions, and collected information from the app’s users and their Facebook friends without their knowledge. Cambridge Analytica, Kogan, and Nix then matched the app results with U.S. voter records for profiling and targeted advertising.
Cambridge Analytica has not settled.
Nix's attorney, Kory Langhofer, reacted to the FTC settlement in a statement to ABC News on Thursday.
“The most striking fact here is that Alexander Nix did nothing wrong," Langhofer said. "In our many conversations with legal counsel for the FTC, when we pressed them for any evidence of wrongdoing by Alexander, they never claimed such evidence and stated instead that such evidence was unnecessary. The FTC has a perplexing policy of seeking conciliation agreements with people, like Alexander, who were proximate to but not responsible for wrongdoing. In signing such an agreement, Alexander admits no wrongdoing and pays no fine; rather, he simply agrees not to violate FTC regulations in the future. That of course is unobjectionable, because Alexander never violated FTC regulations and intends never to do so in the future.”
Kogan declined to comment on the FTC action and, like Nix, did not admit to any wrongdoing in his settlement.
Separately Wednesday, the Securities and Exchange Commission (SEC) announced a settlement with Facebook over claims the company made "misleading disclosures regarding the risk of misuse of Facebook user data." The company announced it had agreed to pay a fine of $100 million but did not confirm or deny the claims.
"We share the SEC’s interest in ensuring that we are transparent with our investors about the material risks we face, and we have already updated our disclosures and controls in this area," Stretch wrote.
ABC News' Taylor Dunn and Ali Dukakis contributed to this report.