WASHINGTON -- Facebook is facing a fine and new limits on the way it does business as part of a settlement over allegations that the social media giant failed to properly protect the privacy of millions of users' personal data.
—Facebook will pay $5 billion, about 9% of its revenue last year, to federal authorities.
NEW PRIVACY REQUIREMENTS
— Facebook must provide "clear and conspicuous" notice on how it is using facial recognition technology, and must obtain "affirmative consent" from users if it expands the use of facial recognition beyond what it has previously disclosed.
— Facebook is forbidden to use telephone numbers provided for account security — for instance, ones used to help verify user logins — for advertising.
— Facebook is prohibited from asking for email addresses to other services when users sign up for its services.
— Facebook must encrypt passwords and has to scan regularly for any stored in plain text, which makes them vulnerable to hackers.
— Facebook must establish a comprehensive data security program.
— Facebook will have to create a new board committee focused on data privacy. The members of the "privacy committee" must be independent and cannot be removed by founder and CEO Mark Zuckerberg. They will regularly brief Facebook management.
— CEO Mark Zuckerberg and compliance officers will have to submit quarterly reports that the company is meeting its privacy commitments. Zuckerberg could face civil and criminal liabilities if his certifications are false. He is not named personally as a defendant in the settlement, however, and still retains some powers over the board.
— Outside monitors, including the Federal Trade Commission and an independent "assessor," will have access to information on Facebook's privacy decisions. The assessor will meet quarterly with the privacy committee, both with and without the presence of Facebook management. The assessor will evaluate Facebook's data privacy program and submit the findings to the FTC every two years.
— Facebook management will brief the privacy committee every quarter and the committee will propose fixes to any issues that come up.
— Facebook will assess data privacy risks of each new product before it is launched. Its conclusions will be included in the quarterly privacy review reports.
— The company must document when the data of 500 or more users has been compromised and notify authorities within 30 days. It must provide reports every 30 days until the incident is fully investigated or resolved.