In its first-quarter earnings report on Wednesday, Facebook said it had set aside $3 billion for an expected fine from the Federal Trade Commission (FTC) for sharing the personal data of 87 million Facebook users with the British marketing firm in a 2015 incident.
The FTC has been investigating the case for over a year to determine whether Facebook violated a 2012 agreement with the agency not to collect and share user data with outside parties.
On Wednesday, Facebook posted a first-quarter revenue of $15.08 billion, up 26 percent from the same period a year ago, suggesting that its advertising business was still going strong despite reputation turmoil amid privacy scandals. But due to the $3 billion penalty reserve, which was recorded as an accrued cost, Facebook’s profit for the quarter dropped more than half from a year ago to $2.43 billion.
The company said “there can be no assurance as to the timing or the terms of any final outcome.” In the worse case scenario, Facebook expects the FTC to levy a fine of up to $5 billion, which falls right on the mark predicted by Observer last year.
If implemented, this fine will be the largest the FTC has ever slapped on a U.S. company and will set an important precedent for the relatively new data breach field. The existing record-high fine for privacy violation is $100 million, levied by the agency as part of three settlements between 2015 and 2017.
So far, the largest penalty Facebook has paid for the Cambridge Analytica case was a £500,000 ($660,000) ticket issued by Britain’s Information Commissioner’s Office last July. The amount was the maximum allowed under the European Union’s old data privacy laws, which were in effect when the data breach happened.
If the incident had taken place after the EU’s new General Data Protection Regulation (GDPR) came into effect, Facebook could have faced a fine of up to $1.1 billion, or four percent of its 2016 revenue.
In the U.S., aside from the FTC, Facebook is also under investigation by three other regulators (the SEC, the FBI and the Justice Department) and could face additional fines.
The SEC, for example, could levy a fine of up to $1.8 billion for insufficient public disclosure during the Cambridge Analytica case (the incident happened in 2015, but Facebook didn’t notify shareholders until 2017), a regulated industries expert told Observer last summer. This estimation was based on Facebook’s market capitalization and a preceding Yahoo case of a similar nature.