Alongside a $5 billion fine, the US government just imposed a bunch of restrictions on what Facebook can and can't do: Here's the full list

Advertisement
Alongside a $5 billion fine, the US government just imposed a bunch of restrictions on what Facebook can and can't do: Here's the full list

Mark Zuckerberg

Facebook

Facebook CEO Mark Zuckerberg.

Advertisement

It's official - Facebook was hit with a $5 billion fine from the Federal Trade Commission due to mishandling of user data.

The fine is a record for the FTC - a move seemingly intended to set a precedent for the kind of punishment that tech giants could receive for mishandling their users' data - and is a direct response to the Cambridge Analytica scandal, where data from over 50 million Facebook users was obtained without permission by a political data analytics firm.

The data was then used by Cambridge Analytica to target American voters in the 2016 US Presidential election.

More than just a record-setting fine, the FTC is also imposing a set of regulations on Facebook aimed at protecting user data. Here's the full list:

Advertisement

Exclusive FREE Report: The Future of Payments by Business Insider Intelligence

{{}}

1. "Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook's platform policies or fail to justify their need for specific user data."

1. "Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook's platform policies or fail to justify their need for specific user data."

The first regulation on the list directly address the root of the FTC's complaints: That a third-party company was able to access a massive amount of user data through Facebook without the social media giant stepping in to stop them.

In this particular case, the third-party in question was Cambridge Analytica, and the data taken was from over 50 million Facebook users.

2. "Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising."

2. "Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising."

The second regulation directly concerns users inputting their personal phone number into Facebook for so-called "two-factor" authentication. This type of security requires users to receive either a text message or phone call with a unique numerical code before they're allowed to access their Facebook account.

That phone number is being explicitly given for a security reason, and thus Facebook is being required to not use this data for financial gain (such as advertising).

Advertisement

3. "Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users."

3. "Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users."

The third regulation pertains specifically to Facebook's ability to recognize faces from photos uploaded to the social media network, and forces Facebook to alert users when facial recognition software is being used.

4. "Facebook must establish, implement, and maintain a comprehensive data security program."

4. "Facebook must establish, implement, and maintain a comprehensive data security program."

The fourth regulation is broad — Facebook is required to "establish, implement, and maintain" an oversight committee.

"Just as we have an audit committee of our board to oversee our financial controls, we'll set up a new privacy committee of our board that will oversee our privacy program," Facebook CEO Mark Zuckerberg said on Facebook on Wednesday. "To implement this, we'll have to review our technical systems to document any privacy risks and how we're handling them. Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we'll have to document any risks and the steps we're taking to mitigate them. We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work."

Advertisement

5. "Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext."

5. "Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext."

The fifth regulation directly concerns how passwords are stored by Facebook, which now requires the company to keep passwords encrypted. This is a measure of internal and external security — so that Facebook employees can't see user passwords, and so that hackers couldn't retrieve passwords stored without encryption.

This is a standard practice for any company operating a service with users who use passwords.

6. "Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services."

6. "Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services."

One major component of Facebook is verifying identity of its users, and one way to do that is by using a third-party service that has already verified a person's identity. But that's far more banal than Facebook asking for the login information used on third-party services, like Google.

As such, the sixth and final regulation imposed on Facebook by the FTC on Wednesday specifically involves Facebook not being allowed to ask for that login information.

Advertisement
Next StoryIndia’s Parliament has amended the Right to Information Act even as activists and opposition leaders fume