The Federal Trade Commission announced a settlement with the company behind a popular Android flashlight app last week, resolving allegations that the up to 100 million users who downloaded the app had their location tracked and shared with third parties without appropriate disclosure or consent.

That sounds like a pretty big deal, right? But under the terms of the settlement, the firm won't face a very harsh punishment. It will have to rewrite its privacy policy to disclose that its users' geo-location and device ID data are shared with third parties (including advertising networks), agree to delete the personal information it already has about its users, and enter into an enforcement agreement with the FTC for the next several years. But there won't be a fine.

Why not? According to David Jacobs, Consumer Protection Counsel at the Electronic Privacy Information Center (EPIC), it all has to do with how the FTC's consumer protection authorities are set up. Under the FTC's broadest enforcement power, the FTC doesn't have the power to fine companies for a first offense.

Here's how the FTC's authority works: First, there's a requirement that the commercial practice in question has to do with interstate commerce, then "Section Five [of the statute establishing the agency] gives the FTC the ability to act against unfair or deceptive practices."

"The FTC has further defined both of these," says Jacobs. "For instance on unfairness, there has to be substantial harm, can't be reasonably avoidable by consumers, and can't be outweighed by benefits to the consumer." Deception is a little bit more straightforward and is implicated almost any time a company misleads consumers.  "Apart from very specific statute exceptions like the airlines, they apply to really any business sector of the industry," Jacobs explains. While the flashlight app case involved privacy, it can involve pretty much any kind of misleading advertising.

However, "there's no initial fining authority under Section Five of the FTC act," says Jacobs. Instead, businesses essentially get one free pass where they don't have to pay a fine, but are typically slapped with other kinds of enforcement. That's what happened in the flashlight app case. But once businesses are subject to one enforcement action with the FTC, they're typically required to enter into an agreement with the agency — and when companies are repeat offenders, that's when the fines start rolling in.

And that model seems to be fairly effective, says Jacobs. "Right now the FTC actually has consent orders with a lot of of the major tech companies," including Google, Facebook, Twitter and Myspace, he says. "So in a lot of these cases the authority is there, it's just a matter of enforcement." And there has been enforcement: For instance, Google agreed to pay a $22.5 million settlement last year over allegations that the tech giant misrepresented its tracking actions to users of Apple's Safari browser.

Jacobs believes the FTC has "the tools to deal with many privacy violations that arise in the commercial sphere." However, he also notes there's currently "no federal baseline privacy legislation." EPIC and other consumer advocates have been trying to work with the White House to translate a consumer privacy bill of rights into legislation, a move he says "would really strengthen privacy enforcement at the federal level."

But while the FTC's enforcement on privacy issues is limited, it also faces some challenges. For instance, FTC v. Wyndham, a pending lawsuit over data security enforcement, could result in a curbing of FTC enforcement on many of these issues if it is successful.