Facebook on Wednesday was ordered to create new layers of oversight for its collection and handling of users’ personal data by the Federal Trade Commission, as the agency detailed a privacy settlement with the social network that signals Washington’s newfound energy in reining in powerful technology companies.

As part of the agreement, the FTC mandated that the social network create an independently appointed privacy committee on its board, designate compliance officers to oversee a privacy program, undergo regular privacy audits that its chief executive, Mark Zuckerberg, and others must submit to, and appoint an outside assessor to monitor the handling of data. In addition, the FTC fined Facebook $5 billion for violating a 2011 privacy settlement.

The measures, which the FTC’s commissioners approved in a 3-2 vote this month, underline how aggressive regulators are aiming to be with Facebook and other behemoth tech companies. The fine was a record by the federal government against a tech company. And the conditions go further than the previous settlement between the FTC and Facebook.

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

But the agreement stopped short of more punitive measures that the FTC had previously discussed against Facebook, including holding Zuckerberg personally liable for missteps and potentially taking the company to court. The fine was also a fraction of Facebook’s $56 billion in annual revenue. Most significantly, the settlement did not restrict the social network’s ability to gather, share and use people’s personal information — a core practice that has repeatedly raised privacy questions.

In a statement, the FTC’s three Republican commissioners who voted to approve the settlement — including the agency chairman, Joe Simons — said they were “proud” of the agreement. The measures “will provide significant deterrence not just to Facebook, but to every other company that collects or uses consumer data,” the statement said.

The FTC’s two Democratic commissioners disagreed, saying the settlement did not go far enough in checking Facebook.

Facebook’s punishments Fine Facebook will pay $5 billion, about 9% of its revenue last year, to federal authorities. New privacy requirements Facebook will have to more closely police how third-party developers use its platforms and ensure it no longer allows preferential partners to access data on unwitting Facebook users. Sony and Microsoft were still doing so until Wednesday. Facebook must provide "clear and conspicuous" notice on how it is using facial recognition technology, and must obtain "affirmative consent" from users if it expands the use of facial recognition beyond what it has previously disclosed. Facebook is forbidden to use telephone numbers provided for account security - for instance, ones used to help verify user logins - for advertising. Facebook is prohibited from asking for email addresses to other services when users sign up for its services. Facebook must encrypt passwords and has to scan regularly for any stored in plain text, which makes them vulnerable to hackers. Facebook must establish a comprehensive data security program. Accountability Facebook will have to create a new board committee focused on data privacy. The members of the "privacy committee" must be independent and cannot be removed by founder and CEO Mark Zuckerberg. They will regularly brief Facebook management. CEO Mark Zuckerberg and compliance officers will have to submit quarterly reports that the company is meeting its privacy commitments. Zuckerberg could face civil and criminal liabilities if his certifications are false. He is not named personally as a defendant in the settlement, however, and still retains some powers over the board. Transparency Outside monitors, including the Federal Trade Commission and an independent "assessor," will have access to information on Facebook's privacy decisions. The assessor will meet quarterly with the privacy committee, both with and without the presence of Facebook management. The assessor will evaluate Facebook's data privacy program and submit the findings to the FTC every two years. Facebook management will brief the privacy committee every quarter and the committee will propose fixes to any issues that come up. Facebook will assess data privacy risks of each new product before it is launched. Its conclusions will be included in the quarterly privacy review reports. The company must document when the data of 500 or more users has been compromised and notify authorities within 30 days. It must provide reports every 30 days until the incident is fully investigated or resolved. - Associated Press See More Collapse

“I fear it leaves the American public vulnerable,” said Rebecca Kelly Slaughter, a Democratic commissioner.

Facebook, which is reporting its quarterly earnings later Wednesday, did not immediately have a comment.

The FTC’s unveiling of the settlement comes as lawmakers and regulators have recently ratcheted up pressure on Google, Facebook, Apple and Amazon.

Last week, Congress held several hearings to question the companies on whether they were stifling free speech and competition. President Trump has weighed in, calling the tech platforms “crooked” and “dishonest” and saying “something is going to be done.” On Tuesday, the Justice Department said it would start an antitrust review into how internet giants had amassed market power and whether they had acted to reduce competition.

For Facebook, the agreement with the FTC does not end its regulatory and legal headaches.

The Securities and Exchange Commission on Wednesday said that it had levied a penalty of $100 million against the Silicon Valley firm for not clearly disclosing the risks around its privacy practices to investors, said a person with knowledge of the matter.

And around the world, Facebook faces other fights. Authorities in Europe and elsewhere are lining up to probe and limit tech companies on issues including privacy, antitrust and harmful content such as disinformation and hate speech.

The FTC’s investigation of Facebook for privacy violations was prompted by a report from the New York Times and the Observer of London last year on how the social network allowed Cambridge Analytica, a British consulting firm to the Trump campaign, to harvest the personal information of its users. Cambridge Analytica used the data to build profiles of American voters without the consent of Facebook users.

On Wednesday, the FTC said it had also agreed to settle with Cambridge Analytica’s former chief executive, Alexander Nix, and Aleksandr Kogan, an app developer who worked with the company, to restrict how they did business in the future.

The settlement between the FTC and Facebook was being closely watched as a litmus test for how U.S. regulators will curb the tech companies. But the partisan split at the FTC may lead to questions for Simons about whether this was the best that the agency could do. Some lawmakers had already criticized the $5 billion fine against Facebook as a slap on the wrist, given the amount of revenue that the company brings in.

One point of contention among the FTC commissioners was whether a settlement should shield Zuckerberg, Facebook Chief Operating Officer Sheryl Sandberg and other Facebook executives and directors from any personal liability for the company’s transgressions. The Democratic commissioners argued that the violations warranted holding the executives personally liable, while the Republican commissioners said new oversight would reduce the ability of Zuckerberg and others to make unilateral decisions.

The Democratic commissioners also argued that Facebook’s financial gains for violating its previous privacy commitments to the FTC would far surpass the $5 billion fine that the agency was imposing.

“When companies can violate the law, pay big penalties and still turn a profit while keeping their business model intact, enforcement agencies cannot claim victory,” Rohit Chopra, a Democratic commissioner, said in his dissent.

The three Republican commissioners said that the $5 billion fine was “record breaking” and that it reset the baseline for privacy cases.

They also said the FTC did not have a strong enough case to move forward with any litigation against Facebook. Ultimately, Simons and the other two Republican commissioners, Noah Phillips and Christine Wilson, said the concessions they were able to extract with a settlement were more valuable — and far more certain — than what might be achieved with a drawn-out legal battle in public.

“Is the relief we would obtain through this settlement equal to or better than what we could reasonably obtain through litigation?” they said. “If the answer had been ‘no,’ it would have made sense to aggressively move forward in court. The answer, however, was ‘yes.’”

Some leading privacy experts, who have spent years pressing the FTC to crack down on privacy abuses at Facebook, said the settlement was inadequate because it failed to significantly restrict Facebook’s collection and handling of consumers data or remedy the company’s past privacy deceptions.

Among other things, the FTC should have required Facebook to divest WhatsApp, the messaging service it bought in 2014, as a remedy for Facebook reneging on its commitments at the time not to merge WhatsApp user data with Facebook data, said Marc Rotenberg, executive director of the Electronic Privacy Information Center. His group spearheaded complaints that led to the FTC’s 2012 settlement with Facebook.

“There are no significant changes in business practices mandated,” Rotenberg said. “That’s the bottom line. And that’s the wrong outcome.”

Mike Isaac is a New York Times writer.