Ahead of Facebook's (META 0.14%) second-quarter earnings release after the market closes today, the U.S. Federal Trade Commission has officially announced its record $5 billion penalty that it is imposing on the world's largest social networking company. The fine had been widely expected, as negotiations had been ongoing for months, and investors cheered reports that the settlement was imminent, even if the penalty is at the high end of what Facebook had been expecting.

Here's what investors need to know about the settlement.

Mark Zuckerberg on stage in front of "The future is private."

CEO Mark Zuckerberg. Image source: Facebook.

A historic settlement

Facebook is getting hit with the penalty due to its numerous privacy transgressions and scandals over the past two years, and the company is also being required to reform its internal practices in order to strengthen privacy protections for consumers.

Facebook will create a new committee on its board of directors tasked with overseeing privacy decisions. While Mark Zuckerberg will remain as both chairman and CEO, he will no longer be the company's main decision-maker with regards to consumer privacy. The goal is to remove "unfettered control by Facebook's CEO Mark Zuckerberg over decisions affecting user privacy."

Infographic detailing Facebook's new privacy program

Image source: Facebook.

There will be new compliance officers tasked with overseeing the new privacy program, and the privacy committee will appoint these officers. An independent third-party assessor will evaluate how effective the new privacy protections are, calling out any shortfalls that need to be addressed. Compliance officers will prepare quarterly privacy reports for Zuckerberg and the independent assessor, and the FTC will also have access to these reports.

Other new privacy requirements include:

  • Stronger oversight over third-party apps that access user data.
  • Facebook cannot use phone numbers used for two-factor authentication for ad-targeting purposes.
  • There must be clear disclosure of Facebook's use of facial recognition technology, and it must obtain user consent for any use of that technology that "materially exceeds its prior disclosures."
  • The company has to establish, implement, and maintain a comprehensive data security program.
  • Passwords must be encrypted and Facebook has to regularly check to see if any passwords are stored in plain text.
  • Facebook can't ask for email passwords for other services.

Another $100 million on top

The SEC has separately slapped Facebook with a $100 million fine for making misleading disclosures to investors around the risks of data misuse.

"For more than two years, Facebook's public disclosures presented the risk of misuse of user data as merely hypothetical when Facebook knew that a third-party developer had actually misused Facebook user data," the securities regulator said in a statement. "Public companies must identify and consider the material risks to their business and have procedures designed to make disclosures that are accurate in all material respects, including not continuing to describe a risk as hypothetical when it has in fact happened."

Is it enough?

Despite the sheer size of the penalty, $5 billion still may not be enough. While Facebook is framing the settlement as a privacy win for consumers, critics think the agency could have done more. For example, FTC Commissioner Rohit Chopra voted against the deal and issued a blistering dissenting statement in addition to posting a thread on social media regarding his position.

"The settlement imposes no meaningful changes to the company's structure or financial incentives, which led to these violations," Chopra wrote. "Nor does it include any restrictions on the company's mass surveillance or advertising tactics."