The FTC isn’t messing around.

The Federal Trade Commission, which is still investigating Facebook for potential privacy violations related to how the company has shared data in the past with outside developers, is negotiating with Facebook to settle the issue with a fine that could be billions of dollars, the Washington Post reported Thursday, February 14.

The negotiations are ongoing, and it’s still unclear exactly how much Facebook would have to pay — or if the company will settle at all. Without a settlement, the two sides could go to court.

But a multibillion-dollar fine would be the agency’s largest ever against a tech company, the Washington Post says. Facebook brought in almost $56 billion in revenue in 2018, so while the fine is steep, it’s also affordable.

The FTC, which has been investigating Facebook’s privacy practices since March 2018, is nearing the end of that investigation and is prepping what the Post described previously as a “record-setting fine” against the company.

Why is the FTC investigating Facebook?

Facebook’s Cambridge Analytica privacy scandal, which became public last March, inspired this investigation. It was learned that Facebook shared — without their permission — the personal profile information for tens of millions of people with an outside app developer back in 2014. That developer then sold that information to Cambridge Analytica, a data analytics firm that eventually worked with Donald Trump’s 2016 presidential campaign. The fact that the app developer collected the data was not against Facebook’s rules at the time. But selling the data was.

The entire incident left Facebook scrambling to explain how its data collection practices work — they’ve since been changed — and raised some serious questions about user privacy. Among them: Did this data sharing violate an agreement Facebook made with the FTC back in 2011 to better protect people’s privacy? The FTC wanted to find out, so it started investigating.

What did Facebook promise as part of its 2011 consent decree?

That agreement with the FTC, known as a consent decree, has multiple parts, including a requirement that Facebook receive “affirmative express consent” from users before making any changes to its privacy policies. The part of the agreement that seems to be up for interpretation is Facebook’s promise that it wouldn’t make any “misrepresentations about the privacy or security of consumers’ personal information.” It seems possible that allowing third-party developers to access a user’s personal information without their knowledge could be seen as a “misrepresentation” on Facebook’s part.

Facebook would disagree. The company has argued in the past that this data collection took place appropriately, given the company’s privacy policies that were in place at the time. People may not have known their data was being collected in the way it was, but that explanation was in the fine print of Facebook’s policies. The problem arose when the developer then sold that data to Cambridge Analytica, which was against Facebook’s rules.

Is that all the FTC is investigating?

Cambridge Analytica is what set off this investigation in March, but the company has had a number of privacy slip-ups since then that the FTC could be looking into. A number of software bugs created privacy concerns for Facebook this summer: One changed the privacy settings for as many as 14 million people without their knowledge; another “unblocked” people that hundreds of thousands of users had blocked, putting users’ safety at risk; yet another “vulnerability” exposed to hackers the personal Facebook data of almost 30 million people. When Facebook announced that breach, a company spokesperson said Facebook was “closely coordinating” with the FTC to let them know what happened, so the two sides have been in touch about more than just Cambridge Analytica.

What will Facebook’s punishment be?

There will most certainly be a fine imposed on Facebook, and the Post is reporting that it could be “record-setting.” Facebook’s 2011 consent decree says that the company could be fined as much as $16,000 per day for “each violation.” It’s unclear exactly what that means — does each impacted user count as a separate violation? — but when Google was fined by the FTC for privacy-related reasons in 2012, the fine was just $22.5 million, a record penalty at the time.

If Facebook is fined, the total is likely to be much higher, though it’s unclear how much damage the FTC can do with a monetary penalty alone. Facebook’s revenue in 2018 is estimated to be more than $50 billion. Even a $1 billion fine, which would be a huge leap from the penalty Google faced, would be less than 2 percent of the company’s total sales. Google was fined by regulators in France for violating Europe’s strict new data privacy laws. Even that fine was just $57 million.

It’s also possible Facebook will face other penalties, like a renewed privacy agreement that could create stricter penalties and rules for the company to follow.

How soon might this happen?

“Soon,” according to the Washington Post, though the government shutdown likely slowed things, given that most FTC employees were not working then. The New York Times says that the committee’s five FTC commissioners, who will ultimately decide on punishment for Facebook, had been coming into the office during the shutdown, though when we reached out to the FTC during the shutdown, we received this automatic reply: “The FTC Office of Public Affairs is closed due to the government shutdown. We are unable to respond to your email until the government is funded and resumes operation.”

What is Facebook saying about this?

Nothing, really. The company issued a statement last March, when the FTC first announced the investigation, to say that it welcomed “the opportunity to answer questions the FTC may have.” A source familiar with Facebook tells Recode the company is still cooperating with the FTC. Other than that, Facebook has been quiet.