Facebook Inc.’s long-expected settlement with regulators over its privacy practices is now official.

The Federal Trade Commission today announced that the company has agreed to pay a $5 billion fine, as well as subject itself to increased oversight and implement more stringent data controls. The deal marks the biggest privacy fine ever handed out by the FTC. It will have to be approved to a federal judge before coming into force.

The FTC opened a probe into Facebook last year after Cambridge Analytica, a British political consulting firm, exploited the social network’s lax data controls to harvest personal information about millions of users. Officials charged that the incident violated a 2012 settlement between Facebook and FTC meant to improve its privacy policies.

Today’s deal also settles two more recent privacy scandals that the FTC said violated the 2012 agreement. The first involved Tag Suggestion, a facial recognition setting for user photos that Facebook said was turned off by default when it wasn’t. Additionally, the company used phone numbers that it had claimed were needed to improve account security for advertising purposes.

The commission is imposing new requirements on Facebook meant to prevent a repeat of these incidents. Under the settlement, the social network is prohibited from feeding phone numbers collected for security reasons into its advertising systems. Moreover, the company will have to “provide clear and conspicuous notice of its use of facial recognition technology.”

The FTC’s privacy program addresses the Cambridge Analytics breach as well. External apps, like the one the British consulting firm used to harvest records, will now have to verify compliance with Facebook’s security policies and justify their access to user data.

On top of these changes to day-to-day privacy practices, Facebook must implement a new companywide governance structure. The FTC has ordered the social network to form an independent committee within its board of directors to oversee privacy matters.

The committee will work together with “designated compliance officers,” namely Facebook Chief Executive Mark Zuckerberg (pictured) and other senior executives. The leadership team must from now on submit quarterly and annual certifications that the company meets the new privacy requirements. As an added measure, an external FTC-approved external assessor will carry out independent evaluations to verify Facebook’s compliance. 

FTC Chairman Joe Simons said in a statement that the settlement “is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”

Others aren’t so sure. Republican Senator Josh Hawley said on Twitter that the settlement is “very disappointing. This settlement does nothing to change Facebook’s creepy surveillance of its own users & the misuse of user data. It does nothing to hold executives accountable. It utterly fails to penalize Facebook in any effective way.”

Likewise, former Facebook security chief Alex Stamos said the deal could have consequences the FTC didn’t intend, in particular to reduce competition with Facebook. “Facebook already has ~2.5B users,” he tweeted. “It has the world’s second largest ad network. It never again needs data from anybody else to make money or third parties to facilitate growth. This order doesn’t include the word competition or include any balancing tests. It’s fantastic for FB.”

Zuckerberg also addressed the agreement in a Facebook post. He detailed that the company will assign more than 1,000 employees to making sure that new features, as well as updates to existing services, comply with the privacy rules. 

“We’ll have to review our technical systems to document any privacy risks and how we’re handling them,” he wrote. “Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we’re taking to mitigate them.”

Separately, Facebook today reached an agreement to end a parallel probe by the Securities and Exchange Commission into the Cambridge Analytica breach. The agency accused the social network of misleading investors about the risk of user privacy abuses on its platform. Facebook will pay a $100 million penalty and won’t have to admit guilt.

Still, Facebook’s regulatory issues are far from over. Just hours after the FTC settlement, Facebook said in its earnings report that the commission has opened a formal antitrust inquiry into the company.

Photo: quintanomedia/Flickr