Facebook is staring down its first fine for allowing Cambridge Analytica to improperly access data about millions of people, potentially opening the door for governments around the world to slap the social media giant with other tougher penalties and stricter regulation.
On Tuesday, UK watchdogs announced a NZ$973,653 preliminary fine - the maximum amount allowed - after finding Facebook lacked strong privacy protections and overlooked critical warning signs that might have prevented Cambridge Analytica from trying to manipulate public opinion on behalf of clients around the world, including those who sought to withdraw Britain from the European Union in 2016.
The penalty from the UK data watchdog, called the Information Commissioner's Office, could change as the agency discusses the matter further with Facebook.
Normally, the ICO does not reveal its initial findings but said it had done so in this case because of the heightened public interest in the matter. It promised another update in October.
Erin Egan, Facebook's chief privacy officer, acknowledged in a statement Tuesday that Facebook "should have done more to investigate claims about Cambridge Analytica and take action in 2015."
The British findings highlight that the fallout from Facebook's Cambridge Analytica scandal is only beginning.
The UK's early efforts could inform ongoing investigations elsewhere in Europe as well as the United States, where a probe by the Federal Trade Commission could result in a penalty well into the hundreds of billions of dollars.
The FBI and the Securities and Exchange Commission are also looking into Facebook's ties to Cambridge Analytica.
Facebook's Egan referred to the numerous investigations involving the company. "We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries," she said. "We're reviewing the report and will respond to the ICO soon."
The UK's probe adopted a wide lens, focusing not only on Facebook but the ecosystem of players - totaling 172 organizations and 285 individuals - involved in the collection and sale of data about web users for political purposes.
In an accompanying report, Elizabeth Denham, the UK information commissioner, expressed unease with the "significant shortfall in transparency" from tech companies, political parties and others that harness sensitive bits of information online.
"A significant finding of the ICO investigation is the conclusion that Facebook has not been sufficiently transparent to enable users to understand how and why they might be targeted by a political party or campaign," Denham wrote.
"Whilst these concerns about Facebook's advertising model exist generally in relation to its commercial use, they are heightened when these tools are used for political campaigning."
In a roughly 40-page report, British regulators faulted Facebook for allowing Cambridge University researcher Aleksandr Kogan to build an app that collected data about Facebook users as well as their friends on behalf of Cambridge Analytica.
The social giant permitted apps to collect this information until 2015, but the UK watchdog said Tuesday it was concerned that many people on the site "may not have been sufficiently informed that their data was accessible in this way."
UK investigators also questioned whether Facebook failed to maintain adequate safeguards to ensure other third-party app developers had not misused social data. The British agency said Facebook may have had a "missed opportunity" in 2014 to have thwarted Kogan's activities on the site.
The British agency said it is still weighing potential penalties against Kogan as well as Alexander Nix, the former chief executive of Cambridge Analytica.
For the UK, the key consideration has been the extent to which Facebook data - once in the hands of Cambridge Analytica and its parent company, SCL Elections - may have been used to assist those who supported a vote to leave the EU, known as Brexit.
British authorities also said Tuesday they are bringing a "criminal prosecution" against the parent company for SCL Elections Limited, for failing to respond to its enforcement notices.
And UK regulators pledged additional scrutiny of Facebook to come. Among the issues they are still probing is an assertion by Cambridge Analytica that it had deleted the data, after the social media giant requested it in 2015.
The UK's investigation found "evidence that copies of the data/parts of it also seem to have been shared with other parties and on other systems beyond," which "potentially brings into question the accuracy" of Cambridge Analytica's assertion that it wiped the data from its stores.
Since its entanglement with Cambridge Analytica became public, Facebook has pledged to review all third-party apps on the platform while introducing new transparency measures, including an online repository of all political ads that run on the site.
It's not the first time, however, that Europe has penalised Facebook. Last year, antitrust regulators in the European Union slapped Facebook with a US$122 million fine. The region's competition chief said the social media company had provided misleading information about its privacy promises during its 2014 acquisition of the messenger app WhatsApp.
Facebook also received a minor fine of US$164,000 from French regulators for failing to meet the country's data protection rules.