Alongside a $5 billion fine, the US government just imposed a bunch of restrictions on what Facebook can and can't do: Here's the full list

FacebookFacebook CEO Mark Zuckerberg.

It’s official: Facebook was hit with a $US5 billion fine from the Federal Trade Commission as part of a settlement over claims the company mishandled user data.

The fine is a record for the FTC – perhaps a precedent for the kind of punishment that tech giants could expect for mishandling users’ data – and is a direct response to the Cambridge Analytica scandal, in which data from over 50 million Facebook users was improperly obtained by a political data-analytics firm.

The data was then used by the firm, Cambridge Analytica, to target American voters in the 2016 US presidential election.

Beyond the record fine, the FTC is also imposing a set of regulations on Facebook aimed at protecting user data. Here’s the full list:


1. “Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data.”

Pablo Martinez Monsivais/AP

The first regulation on the list directly addresses the root of the FTC’s complaints: that a third-party company was able to access a massive amount of user data through Facebook without the social-media giant stepping in to stop it.

In this case, the third-party company was Cambridge Analytica, with data taken from over 50 million Facebook users.


2. “Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising.”

The second regulation directly concerns users inputting their personal phone number into Facebook for “two-factor” authentication. This type of security requires users to receive either a text message or a phone call with a unique numerical code before they’re allowed to access their Facebook account.

That phone number is being given under the pretense of security, and thus Facebook is being required not to use this data for financial gain (such as advertising).


3. “Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users.”

Apple

The third regulation pertains to Facebook’s ability to recognise faces from photos uploaded to the social-media network, and it says Facebook must alert users when facial-recognition software is used.


4. “Facebook must establish, implement, and maintain a comprehensive data security program.”

Facebook

The fourth regulation is broad – Facebook is required to “establish, implement, and maintain” an oversight committee.

“Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program,” Facebook CEO Mark Zuckerberg said on Facebook on Wednesday. “To implement this, we’ll have to review our technical systems to document any privacy risks and how we’re handling them. Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we’re taking to mitigate them. We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work.”


5. “Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext.”

Shutterstock

The fifth regulation concerns how passwords are stored by Facebook: The company must now keep passwords encrypted. This is a measure of internal and external security – both so Facebook employees can’t see user passwords but also so hackers can’t retrieve passwords stored without encryption.

This is a standard practice for any company operating a service with users who use passwords.


6. “Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.”

Getty Images

One major component of Facebook is verifying the identity of its users, and one way to do that is by using a third-party service that has already verified a person’s identity. But that’s far more banal than Facebook asking for the login information used on third-party services, like Google.

As such, the sixth and final regulation imposed on Facebook by the FTC on Wednesday specifically says Facebook is not allowed to ask for that login information.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.