Facebook’s punishments
Fine
Facebook will pay $5 billion, about 9% of its revenue last year, to federal authorities.
New privacy requirements
Facebook will have to more closely police how third-party developers use its platforms and ensure it no longer allows preferential partners to access data on unwitting Facebook users. Sony and Microsoft were still doing so until Wednesday.
Facebook must provide “clear and conspicuous” notice on how it is using facial recognition technology, and must obtain “affirmative consent” from users if it expands the use of facial recognition beyond what it has previously disclosed.
Facebook is forbidden to use telephone numbers provided for account security — for instance, ones used to help verify user logins — for advertising.
Facebook is prohibited from asking for email addresses to other services when users sign up for its services.
Facebook must encrypt passwords and has to scan regularly for any stored in plain text, which makes them vulnerable to hackers.
Facebook must establish a comprehensive data security program.
Accountability
Facebook will have to create a new board committee focused on data privacy. The members of the “privacy committee” must be independent and cannot be removed by founder and CEO Mark Zuckerberg. They will regularly brief Facebook management.
CEO Mark Zuckerberg and compliance officers will have to submit quarterly reports that the company is meeting its privacy commitments. Zuckerberg could face civil and criminal liabilities if his certifications are false. He is not named personally as a defendant in the settlement, however, and still retains some powers over the board.
Transparency
Outside monitors, including the Federal Trade Commission and an independent “assessor,” will have access to information on Facebook’s privacy decisions. The assessor will meet quarterly with the privacy committee, both with and without the presence of Facebook management. The assessor will evaluate Facebook’s data privacy program and submit the findings to the FTC every two years.
Facebook management will brief the privacy committee every quarter and the committee will propose fixes to any issues that come up.
Facebook will assess data privacy risks of each new product before it is launched. Its conclusions will be included in the quarterly privacy review reports.
The company must document when the data of 500 or more users has been compromised and notify authorities within 30 days. It must provide reports every 30 days until the incident is fully investigated or resolved.