Facebook Inc.'s legal drama over user privacy violations took an expensive turn Wednesday morning with a record-setting $5 billion fine from the U.S. Federal Trade Commission, a penalty agency officers said has implications for all companies collecting user data.

The Menlo Park, California-based company has also reached a $100 million settlement with the U.S. Securities and Exchange Commission over inadequate privacy breach disclosures.

In a press conference Wednesday morning, FTC commissioners said the agency's order against the social media company should be read as a signal that consumer privacy violations will be taken seriously in the U.S., even without a federal law addressing the issue.

“The price of privacy violations just went up,” said Gustav Eyler, the director of the Department of Justice civil division's consumer protection branch, who spoke at Wednesday's briefing. He added the settlement is “an important part of” an “increased national focus” on consumer data protection.

Company leaders, including general counsel, should be “paying attention to privacy issues” and consider elevating related issues “to the board level,” Eyler said. Privacy is an issue “all firms should focus” on, he continued.

“This is Sarbanes-Oxley for privacy,” Eyler said. Federal legislators have held several hearings this year on a possible federal privacy act that could further clarify data protection rules in the U.S.

Many legal departments are already starting to focus on data collection policies, as the 2020 implementation date for the California Consumer Privacy Act—the first such U.S. state law—approaches. It's been just over a year since the European Union's enforcement of its General Data Protection Regulation kicked in, leading to mass fines against tech companies over privacy violations.

But Wednesday's fine—larger than any privacy penalty from the EU to date—is another reminder that consumer data protection concerns are at international agencies' top of mind.

For tech giant Facebook, the fine eats up 9% of its 2018 revenue and 23% of its 2018 profits. The FTC settlement also outlines structural privacy changes for the company's privacy policies, introducing a series of checks and balances.

For starters, Facebook must establish a board of directors committee solely focused on privacy, with members who can't be removed by Facebook employees or chief executive officer Mark Zuckerberg.

There are increased burdens on Zuckerberg and Facebook's ”designated compliance officers,” possibly including chief privacy officer Erin Egan, who must now “each independently certify to the commission that the company is in compliance.” Egan and any other designated privacy officers will also have to present a quarterly privacy report to an independent assessor.

According to a company representative, Michel Protti, currently Facebook's vice president of partnerships product marketing, has been nominated to chief privacy officer for product. In that role, he would “be responsible for [Facebook's] privacy program.” First, the company representative said, Protti needs to be approved by the privacy board. He does not have a law background and has not held any named privacy positions previously, according to his LinkedIn profile.

Facebook general counsel Jennifer Newstead, who joined Facebook in April from the U.S. Department of State, will provide Protti or the approved chief privacy officer for product legal advice. She and the legal department will also work with employees, particularly those that work on products, and the compliance team to meet Facebook's new obligations.

Her predecessor, Colin Stretch, signed off on Facebook's FTC settlement. Stretch announced his plans to leave Facebook last year, but promised to stay on for a transitional period this summer.

Wednesday's penalty stems from a yearlong investigation by the FTC into the social media company's alleged facial recognition practices, its collection and sharing of data without consent from users, and its lack of transparency for the collection of phone numbers for advertising purposes.

The company, which did not admit wrongdoing in the settlement, is also under investigation for privacy violations in the European Union.

|