Facebook is facing some big changes after the Federal Trade Commission (FTC) settled with the social media giant over charges that it violated an earlier consent agreement. The company will pay a penalty of $5 billion, which is not only the biggest privacy fine in history, but also, according to FTC commissioner Noah Phillips, “almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.”

The order requires Facebook to make significant improvements in how it handles data privacy. Key changes include the creation of a privacy subgroup of Facebook’s board of directors to oversee data privacy, submission of quarterly privacy compliance statements that are independently certified by CEO Mark Zuckerberg and Facebook’s compliance officer(s), and a requirement that third parties with access to consumer information comply with the company’s terms, policies, and procedures. The order also mandates that an independent third-party assessor, approved by the FTC, provides quarterly assessments to the new privacy committee of Facebook’s Board.

The fine represents 9% of the company’s 2018 revenue. Critics in Congress and within the FTC’s ranks argued that the penalty barely touched Facebook’s profitability and did not force the company to stop collecting personal data. The two Democrats on the Commission, Rebecca Slaughter and Rohit Chopra, voted against the settlement, expressing the view that the order would not impose discipline on how Facebook treats data and privacy, and that Mark Zuckerberg should be held personally liable.

The FTC also launched an administrative complaint against now-bankrupt Cambridge Analytica (CA) “for its deceptive acts and practices to harvest personal information from Facebook users for political and commercial targeted advertising purposes.” The complaint alleges that CA collected Facebook profile data from 250,000-270,000 U.S. users plus 50-65 million of their Facebook friends without their consent.

The FTC further alleged that CA falsely claimed participation in the EU-U.S. Privacy Shield framework after the company neglected to renew its certification, which expired in May 2018. Under Privacy Shield rules, participants must affirm to the Department of Commerce, which oversees the program, that they will continue to apply the principles to personal information received during the time they participated in Privacy Shield. CA allegedly failed to do so while still claiming on its website that it adhered to Privacy Shield principles. In contrast with the Facebook settlement, the order individually names CA’s CEO, Alexander Nix, and its developer, academic researcher Aleksandr Kogan, for their personal involvement in the collection of Facebook members’ personal data.

Facebook’s privacy issues do not end with the FTC settlement. Facebook will also pay $100 million to the Securities and Exchange Commission (SEC) in a settlement announced on July 24, 2019 over charges that Facebook misled investors, presenting the risk of misuse of user data as hypothetical despite knowing about actual misuse for more than two years. Facebook is still under investigation by European data protection authorities in several member states for privacy violations under the General Data Protection Regulation (GDPR), under which fines can reach 4% of global profits. The FTC is also not done with Facebook; the agency is currently investigating the company for antitrust violations. Meanwhile, financial regulators have expression wariness of Facebook’s announced foray into cryptocurrencies.

Some advocacy groups denounced the settlement as not going far enough. The Electronic Privacy Information Center (EPIC) filed a Motion to Intervene in United States v. Facebook, calling the settlement “not adequate, reasonable, or appropriate.” EPIC claims the settlement would “extinguish more than 26,000 consumer complaints against Facebook that are pending at the FTC,” and asked the court to allow EPIC and other concerned organizations to have a chance to put their views before the FTC before the settlement is finalized.

Facebook still faces a bumpy enforcement road ahead, but the settlement with the FTC will likely have further ripples around the world for all international players. For example, as EU regulators continue their investigation of Facebook and other tech companies for alleged violations of the GDPR, we can expect that the FTC settlement will provide a benchmark they will try to beat to claim the title of “biggest penalty” for privacy violations worldwide. Investments in data privacy and security will continue to be an ever-larger component of corporate compliance programs.