US fine on Facebook puts CEO Zuckerberg on the hook
Facebook CEO Mark Zuckerberg during the II CEO Summit of the Americas on the sidelines of the VII Summit of the Americas in Panama City in this April 10, 2015 file photo. REUTERS/Carlos Garcia Rawlins/Files

A record $5 billion fine slapped on Facebook by US regulators on Wednesday came with conditions that included putting chief executive Mark Zuckerberg on the hook for future privacy violations.

A 20-year order was included in the settlement, which the Federal Trade Commission said carried the largest penalty ever imposed on a company for violating consumer privacy.

Restrictions that the FTC contended were unprecedented make Facebook executives from Zuckerberg on down accountable for decisions made about privacy at the social network as well as its WhatsApp and Instagram services.

- Zuckerberg and designated officers must submit to FTC quarterly certifications that the company is in compliance with the mandated privacy program. Any false certification will subject them to individual civil and criminal penalties.

- An independent privacy committee consisting of Facebook board members must be formed and operate "unfettered" by control of the company's dominant shareholder, Zuckerberg. The committee will select and oversee program compliance officers.

- Facebook must be more vigilant when it comes to third-party apps, terminating those that fail to comply with the platform policies or justify their need for specific user data.

- Facebook is prohibited from using telephone numbers obtained to enable a security feature for advertising, and must provide clear notice of its use of facial recognition technology.

- Facebook must encrypt user passwords and is barred from asking for email passwords to other services when people sign up for its services.

- Facebook must conduct a privacy review of every new or modified product or service before implementation, documenting its decisions.

- Facebook must document incidents in which the data of 500 or more users is compromised and what it does about such breaches, delivering the information to the FTC within 30 days.

- An outside assessor will evaluate the effectiveness of Facebook's privacy program every other year, relying on independently gathered information and not simply facts supplied by the California-based company.