The Federal Trade Commission has confirmed it is investigating Facebook over its privacy and data security practices, saying it has "substantial concerns."
That follows the revelation that Cambridge Analytica had used Facebook user data without their knowledge to build profiles it then sold to political campaigns, including the Trump campaign.
Facebook has suspended Cambridge Analytica for violating its policies, saying the company should not have been able to get that info without users' permission.
Facebook has said the information was shared by a third party.
"[T]he FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of
Facebook," said Tom Pahl, acting director of the FTC's Bureau of Consumer Protection. "Today, the FTC is confirming that it has an open non-public investigation into these practices.”
"The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers. Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act.," he said. "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements."
Facebook is under an FTC consent decree dating from its 2011 settlement of FTC allegations it deceived consumers by not keeping its privacy promises. The FTC is authorized to enforce such pledges under its Sec. 5 (unfair and deceptive practices) authority.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said then FTC chairman Jon Leibowitz at the time of the consent decree. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."
That consent decree requires Facebook to obtain a users' permission before sharing data, a point Sen. Ed Markey has made in calling for the investigation earlier this month.
The FTC is in the spotlight when it comes to overseeing online privacy since it is getting primary responsibility of both ISP and edge practices with the reclassification of internet access as an information service under the FCC's network neutrality reg rollback.
“The FTC's investigation must be penetrating and prompt in holding Facebook accountable for apparent illegal action. Facebook's failure to protect confidential user information likely violated specific legally binding commitments, but also basic norms and standards," said Sen. Richard Blumenthal (D-Conn.), who is a member of the Commerce Committee, which has jurisdiction over communications issues. "The possible remedies should include damage payments to users, and other court-ordered action. The sphere of scrutiny must be broader than just the consent decree. There is no excuse for delay.”