It’s fair to say that the last few days haven’t been Facebook’s best, but things could get even worse. Following news of the Cambridge Analytica controversy, former federal officials say the company may have violated the FTC's consent decree. If found guilty, Facebook could face fines reaching into the billions of dollars.

On Friday, Facebook suspended the accounts of political-data firm Cambridge Analytica, which had worked for the Trump campaign and on Brexit. The suspensions arrived just before reports from The New York Times and The Guardian that included allegations from whistle-blower Christopher Wylie.

Cambridge Analytica worked with a University of Cambridge psychology professor named Dr. Aleksandr Kogan, who developed an app called “thisisyourdigitallife.” The application built psychological profiles of people using their Facebook data, which could then be used in personalized political messages aimed at potential voters.

270,000 Amazon Mechanical Turkers were paid to use the app. And while it did ask for permission to harvest their data, it made no such requests to the 50 million Facebook friends who didn’t know about the app or give consent, yet still had their personal info sucked up.

Wylie told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”

Wiley also had his account suspended and was criticized by the company, yet his attorney says Facebook “privately welcomed” his help.

Now, the Washington Post reports that the incident could have violated the FTC privacy deal. Former US officials David Vladeck and Jessica Rich told the publication that as the app never asked for consent from users’ friends, it could have broken the decree.

Facebook "reject[s] any suggestion" that it violated the consent deal, and says it "respected" users' privacy settings.

If the FTC does go after Facebook, the company could be hit with a massive fine. The decree asks for up to $40,000 per person, which would equal $2 trillion. Although the agency would be unlikely to ask for so much, it could still hand the social network a punishment reaching into billions of dollars.