Mark Zuckerberg, Facebook’s 33-year-old multibillionaire CEO, may have schooled Congress in two marathon-length hearings this week during his discussion of the Cambridge Analytica data leak that exposed millions of Facebook users’ personal data, but his company isn’t out of the woods yet.
Among its biggest concerns is a Federal Trade Commission investigation into whether Facebook violated a 2011 settlement with the government promising to enact reforms to address concerns over how it tracked and shared data about its users. If the company’s found to have violated the agreement, it could face penalties of up to $40,000 per user per day, which could in theory add up to billions, if not trillions of dollars.
Zuckerberg came to Washington this week in an attempt to do damage-control following revelations last month that an app developer named Aleksandr Kogan had sold data for as many as 87 million Facebook users to the UK-based political consulting and data mining firm Cambridge Analytica, which had ties to the Trump presidential campaign.
Facebook co-founder, Chairman and CEO Mark Zuckerberg testifies Wednesday before the House Energy and Commerce Committee.
Chip Somodevilla / Getty Images
In question is whether Facebook should be on the hook for allowing an app developer to share personal data of millions of Facebook users without their consent, which many experts argue is a violation of its 2011 agreement with the government. The FTC has already opened an investigation into Facebook to determine if the company has been following the terms laid out in the 20-year agreement.
To help you understand what the 2011 FTC consent decree is and why it matters, CNET has put together this FAQ.
What’s a ‘consent decree’?
It’s an agreement or settlement that resolves a legal dispute between two parties without the admission of guilt or liability.
By agreeing to this consent decree in 2011, Facebook didn’t admit it had broken the law. But the agreement itself does carry the force of law going forward, which means that if Facebook breaks the terms, it’s breaking the law and penalties can be assessed.
What did the consent decree between the FTC and Facebook involve?
In the 2011 complaint, the FTC accused Facebook of breaking its promise to keep its users’ data private. Facebook had assured users that third-party applications only had access to data required for them to function. But in fact, applications had access to almost all of a users’ personal information.
Under the settlement, Facebook agreed to get consent from users before sharing their data with third parties. It also required Facebook to establish a “comprehensive privacy program” and to have a third-party conduct audits every two years for the next 20 years to certify its program is effective.
Did Facebook violate this consent decree?
The FTC is currently investigating to answer this question. But many experts, including former FTC officials, say it looks like it has. David Vladeck, the former director of the FTC’s Bureau of Consumer Protection, who worked on the FTC’s enforcement case against Facebook, writes in a Harvard Law Review blog “Facebook’s apparent violations … of the decree is troubling.” He suggested that even aside from the consent decree, the way Facebook allowed Kogan to harvest user data “plainly violated the Federal Trade Commission Act’s prohibition against ‘deceptive acts or practices.'”
And then there’s the questions of the third-party audits that Facebook was supposed to be doing in order to verify it was protecting user data.
Zuckerberg explained during the hearing that when Facebook discovered Kogan had sold the data to Cambridge Analytica, the company asked the firm to delete the information. But Facebook didn’t verify that it had