On Thursday, the Federal Trade Commission finalized a landmark settlement with Facebook over the company’s alleged privacy malpractices accrued over the past year.

Whether it was Cambridge Analytica or falsely promising user control over its use of facial recognition, Facebook messed up — big time. But after months of negotiations with the FTC, Mark Zuckerberg’s leadership was left virtually untouched, and investors applauded the settlement in the company’s earnings call yesterday evening.

“Good news on the FTC settlement,” one investor said.

That agreement included a $5 billion fine, a penalty that’s small in comparison to the company’s total profits. Mark Zuckerberg (or any future executive) will need to personally sign off on new products and privacy provisions, and Facebook will need to set up an independent privacy committee at the board level that would diffuse Zuckerberg’s power over privacy decisions.

But for anyone hoping the settlement might change Facebook’s behavior, the settlement was frustrating, if not outright maddening. As soon as news of the settlement broke, Democrats put out scathing statements, calling the deal anything from a “joke” to a “slap on the wrist” for such overwhelming allegations of abuse. For reformers, it raises a difficult and urgent question: what more could the FTC have done?

“The question was in negotiations”

Officials at the Commission argued Wednesday that they did the best they could under current law and with the resources available. At yesterday’s press conference, FTC Chairman Joseph Simons repeatedly said that the Commission had two options: One, settle on “excellent terms” (what was agreed to in yesterday’s announcement); or two, litigate for years and receive “far less relief” than what’s included in the final settlement.

“The question was in negotiations, if there was something we could get for something, then we determined what was best for the public,” Jim Kohm, the FTC’s director of enforcement, said in response to a question on deposing Zuckerberg. “In this case, we got a lot of relief that we couldn’t otherwise have obtained and that is in some small part due to not going further.”

Most of what critics want — higher fines, personal liability, hard limits on data sharing — couldn’t be obtained through a settlement. Facebook simply wouldn’t agree to it. The only way to get it was by going to trial, which the FTC wasn’t ready to do. The courts are unpredictable, the majority said, and the Commission perhaps wouldn’t have received the amount of relief that was agreed to in the settlement.

That fight came to a head in the FTC’s push to depose Zuckerberg. As part of their investigation, officials received “millions of pages” of emails and communications that included Zuckerberg, and they felt that the agency had enough information to understand his role in the company’s privacy decisions. If Zuckerberg were deposed, Facebook officials were reportedly worried that it could open him up to a slew of private lawsuits if he was found to have made misstatements. If the Commission attempted to depose him, Facebook wouldn’t have agreed to a settlement and the FTC would have no other choice but to pursue the company in court.

In essence, Zuckerberg’s power on the board was a bargaining chip used by the FTC to negotiate the terms we saw in the settlement yesterday. “That is one of the decisions that would have forced the case to court,” Kohm confirmed to Business Insider. “If the tradeoffs are obvious and you don’t take the tradeoffs that best protect the American people, then you’re being irresponsible,” he said at yesterday’s presser.

It’s possible the FTC’s majority didn’t even want to remove Zuckerberg. There were harsher punishments they could have imposed, and less expansive immunities they could have granted. But even if the Commission had wanted to punish Facebook, its lack of statutory power forced it into a bargaining game with one of the world’s largest tech firms.

In the long term, the only way for the FTC to quickly and effectively punish tech companies for harming consumers is if Congress were to step up and empower the agency with heightened authority in a new privacy law. The FTC already has a similar power provided to it through the Children’s Online Privacy Protection Act (COPPA) to fine companies when they’re found to have abused the privacy of children under 13, but it’s largely inapplicable to tech companies, and there’s no equivalent protection for adults.

“This might have looked different”

“This might have looked different” if there was a federal privacy framework, Commissioner Noah Phillips said. “We have the order and we have the law we have today. This settlement is built around remediating that.”

For months, Chairman Simons has been pleading for a new law. But negotiations over the past few weeks have stalled, and it looks like Facebook was able to get off relatively easy, harming user privacy soon enough to skate by without harsher penalties imposed by Congress.

“Our authority in these types of cases is quite limited, which is why we have encouraged Congress to consider federal privacy legislation,” Simons said. “But for now, the only real-world choice here was to take a historic settlement that provides immediate and important protection to American consumers, or wait for years to get far less relief.”

“Not really much of a choice at all,” he continued.

If Congress were to draft a bill that would empower the FTC, it would first need to outline what constitutes a privacy violation. Is it not receiving opt-in consent to data collection? Is it a company deceiving consumers about what it’s doing with their data? Perhaps both of these and more will be considered violations under a new federal privacy framework. If a law were to consider these mishaps a deceptive act or practice, it would allow the FTC to go after companies more aggressively.

Conversations in Congress have reportedly stalled over the past couple months when it comes to drafting a privacy bill, but lawmakers could see yesterday’s announcement as reason to kick discussions back into gear. In the aftermath, some lawmakers have already put out statements hoping to see faster action on the legislative front.

“This tap on the wrist, not even a slap, makes Congressional action all the more urgent to set strong privacy rules and enforce them vigorously,” Sen. Richard Blumenthal (D-CT) said.