He said the FTC regularly took “enforcement action” against firms that caused substantial injury to consumers by breaking laws that govern how personal information should be kept safe.
Facebook is required by law to notify users and get their permission before data is shared beyond their preferred privacy settings in what is known as the “consent decree”.
David Vladeck, the former director of the FTC’s Bureau of Consumer Protection, said that the penalty for each violation of the consent decree is $40,000.
If the data of 50 million people were indeed compromised, the social network’s financial exposure to fines could run into trillions of dollars, Mr Vladeck told the Washington Post.
Rob Sherman, deputy chief privacy officer for Facebook, told CNBC it would“appreciate the opportunity to answer questions the FTC may have”.
The data was grabbed via an app that let people take a personality quiz. Although only 270,000 people completed the quiz, the app was able to exploit the way Facebook held data to get at information about millions more.
Facebook says it has changed its rules on user consent to stop other third parties harvesting data in the same way.