The FTC writes Facebook's new rulebook

Details: The settlement takes steps the FTC's Republican majority hopes will be enough to stop another Cambridge Analytica-style privacy disaster.

• Facebook will not be allowed to use user phone numbers, when they are provided for security features like two-factor authentication, to target advertising or share them with third parties.
• Facebook has to take steps to protect the security of user passwords.
• Facebook has to notify and obtain consent from users when creating a template for facial recognition based on their faces.
• Facebook has to appoint a "Chief Privacy Offer for Product" to oversee a newly-required privacy protection program. (The company announced Wednesday that that position would be filled by Michel Protti, who was previously vice president of product marketing on partnerships.)
• Facebook has to publicly disclose when the data of 500 or more users has been exposed in a way that violates its terms.
• CEO Mark Zuckerberg will be required to sign off on quarterly compliance reports.

Yes, but: Many policymakers said Wednesday that the agency hadn't been aggressive enough. They note that Facebook's core business of selling targeted ads remained effectively intact, and maintain that the deal gives Facebook a pass by immunizing it from future action related to "all consumer-protection claims known by the FTC prior to June 12, 2019."

The bigger picture: Facebook isn't done with the FTC yet.

• The agency is now investigating the company for possible antitrust violations, Facebook revealed Wednesday afternoon that it learned last month.
• Those concerns wouldn't be covered by the release from liability the company secured in the privacy settlement.