When the Federal Trade Commission announced today that it had reached an agreement with Facebook over privacy violations, the massive $5 billion fine stuck out. But critics argue that any monetary penalty — even the second-largest ever imposed by the FTC — won’t be enough to change Facebook’s behavior in the future. 

That’s why, as part of the settlement, the FTC also imposed new privacy constraints on the social network, which the agency said “overhauls” how Facebook deals with users’ data. In a statement, FTC chairman Joe Simons said the settlement will “change Facebook’s entire privacy culture.” The statement from the Republican majority at the agency describes it as “a privacy regime” with “a new corporate governance structure, with corporate and individual accountability and more rigorous compliance monitoring.”

With the eye-popping fine and talk of unprecedented oversight, you could think the FTC hit Facebook with everything in its power. But the fine print suggests the company still escaped any major changes to its business model. 

Under the order, which establishes oversight for 20 years, Facebook will be required to create an independent privacy committee at the board of directors level to make regular assessments of the company’s practices. The order will also require Facebook to use “compliance officers” who will be charged by the privacy committee with evaluating the company’s practices and approving compliance. 

A designated third-party assessor will also work to identify any gaps in Facebook’s privacy policies, and the company will be required to disclose any incident where more than 500 users’ data was compromised. Professional firms offer audit services, and massive companies like Facebook are familiar with them: the social network employed the firm PricewaterhouseCoopers to audit its compliance with an FTC order imposed in 2011. The assessor, under the FTC’s new order, will be charged with a biennial review of Facebook’s privacy practices. 

The FTC stresses that, while Facebook is in charge of creating the privacy committee, the agency will be deeply involved in reviewing the company’s practices over the next 20 years. Once those committee members are in, it also becomes difficult to remove them: only a supermajority of Facebook’s board will be able to fire members of the privacy committee. 

The order imposes several other constraints on Facebook as well, but as some have noted, the company may already be acting within many of those constraints. The FTC will require Facebook to get user consent before using facial recognition on users, for example, but it’s not clear whether the company will have to make substantial changes to how it already notifies them. The company will also be required to terminate app developers that aren’t in compliance with Facebook policies, which is an action it would likely want to take regardless. 

Critics of the order say the oversight structure is also woefully inadequate. “I don’t think it’s going to really move the dial forward on privacy as it stands,” says Jennifer Grygiel, an assistant professor of communications at Syracuse University who studies social media.

Facebook has already brought on many serious privacy experts, and it’s not clear that a nominally independent board, even one created under FTC order, will improve the company’s fundamental problems. “Why should the composition of a new board facilitate anything better?” Grygiel says. 

Notably, the FTC was split on the issue and only passed the order with a 3–2 decision. While the three Republican commissioners at the agency approved the move, the two Democrats on the commission dissented, saying that the order will do little to change the company’s behavior. 

Rohit Chopra, one of the Democrats, said in a statement that Facebook’s business model relies on “surveillance and manipulation” and that the order will fail to prevent privacy lapses in the future, saying the privacy provisions “are less than meets the eye.” 

“When reviewed carefully,” Chopra writes, “it becomes apparent that Facebook is essentially allowed to decide for itself the extent to which it will protect user privacy.” He goes on to say that the privacy committee is powerless to take any real action and that the requirements are so vague, they effectively provide a rubber stamp for Facebook to take whatever action it wants. 

Commissioner Rebecca Slaughter, the other Democrat on the commission, raised similar concerns. Without direct changes to data collection, Facebook will be allowed to collect private information “unfettered,” a problem that could “exacerbate competition as well as privacy concerns.” 

What would more substantial changes around privacy look like? “They should have called out Mark Zuckerberg specifically,” Grygiel says. Chopra, in his statement, agreed, saying that Facebook leadership either “sanctioned profitable lawbreaking” or “failed to implement reasonable compliance controls.” 

This, he writes, means stricter changes to the company’s governance are needed. Without substantial changes at the top, he suggests, the company’s privacy practices may never change.