Facebook is to pay a $5bn fine to settle privacy concerns, the US Federal Trade Commission (FTC) has announced.
The social network must also establish an independent privacy committee that Facebook’s chief executive Mark Zuckerberg will not have control over.
The FTC had been probing allegations political consultancy Cambridge Analytica improperly obtained the data of up to 87 million Facebook users.
The probe then widened to include other issues such as facial recognition.
The social network also fell foul of the regulator by not revealing that phone numbers collected for two-factor authentication would be used for advertising.
The FTC ruled that certain Facebook policies violated rules against deceptive practices.
The $5bn fine is believed to be the biggest ever imposed on any company for violating consumers’ privacy. It is also almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.
The consumer protection agency the FTC began investigating Facebook in March 2018 after it was revealed that personal data was illegally harvested from an online personality quiz and sold to Cambridge Analytica, which may have used it to influence the outcome of the US 2016 presidential election or the UK Brexit referendum.
Although only 270,000 people took the quiz, whistleblower Christopher Wylie alleges that the data of some 50 million users, mainly in the US, was harvested without their explicit consent via their friend networks.
FTC representatives from all US political parties voted the settlement deal through, despite concerns from Democrats that the fine was not big enough and that the settlement did not go far enough.
In a post on Facebook, Mr Zuckerberg said that the firm would be making structural changes to how its products were built and how the company is run.
Privacy practices would now be headed by a new chief privacy officer for products.
“We have a responsibility to protect people’s privacy,” Mr Zuckerberg wrote.
He added that Facebook was reviewing technical systems to document possible privacy risks, and going forward, whenever the social network built a new product or that used data, or a feature changed how it used data, possible privacy risks would need to be documented and mitigated.
These new practices would go far beyond what is currently required of tech firms under US law, he stressed.
“We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward,” he said.
“As we build our privacy-focused vision for the future of social networking that I outlined earlier this year, it’s critical we get this right.”