Facebook is to pay a $5bn fine to settle privacy concerns, the US Federal Trade Commission (FTC) has announced.
The social network must also establish an independent privacy committee that Facebook's chief executive Mark Zuckerberg will not have control over.
The FTC had been probing allegations political consultancy Cambridge Analytica improperly obtained the data of up to 87 million Facebook users.
The probe then widened to include other issues such as facial recognition.
The FTC ruled that certain Facebook policies violated rules against deceptive practices, ruling that Facebook's data policy was deceptive to people who used its facial recognition tool.
The social network also fell foul of the regulator by not revealing that phone numbers collected for two-factor authentication would be used for advertising.
The $5bn fine is believed to be the biggest ever imposed on any company for violating consumers' privacy. It is also almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.
As part of a proposed settlement with the FTC, two of the defendants - former Cambridge Analytica CEO Alexander Nix and app developer Aleksandr Kogan - have agreed to administrative orders restricting how they conduct any business in the future.
The pair are also required to delete or destroy any personal information they collected.
Cambridge Analytica has filed for bankruptcy and as a result, has not settled with the FTC's allegations.
FTC representatives from all US political parties voted the settlement deal through, despite concerns from Democrats that the fine was not big enough and that the settlement did not go far enough.
In a post on Facebook, Mr Zuckerberg said that the firm would be making structural changes to how its products were built and how the company is run.
Privacy practices would now be headed by a new chief privacy officer for products.
"We have a responsibility to protect people's privacy," Mr Zuckerberg wrote.
He added that Facebook was reviewing technical systems to document possible privacy risks, and going forward, whenever the social network built a new product or that used data, or a feature changed how it used data, possible privacy risks would need to be documented and mitigated.
These new practices would go far beyond what is currently required of tech firms under US law, he stressed.
"We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work. And we expect it will take longer to build new products following this process going forward," he said.
"As we build our privacy-focused vision for the future of social networking that I outlined earlier this year, it's critical we get this right."