In 2014, Uber executives had a devious little hobby: spying on everyone from Beyoncé to their ex-girlfriends. The creepy digital stalking was possible thanks to the company’s controversial “God View” tool, which allowed employees see the geolocation data of specific users. The Federal Trade Commission got wise, and now the company is getting another slap on the wrist in a long, long line of slaps on the wrist. This one might stick, and for Uber customers, it might make the service just a little bit safer.

On Tuesday, the FTC announced that Uber had agreed to settle the agency’s long-standing complaint that it had widely failed to preserve its customers privacy.

Under the agreement, Uber won’t have to pay a fine or any other penalty, but it will have to “implement a comprehensive privacy program” that includes submitting to regular independent audits to make sure it’s not up to its old tricks.

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” FTC Acting Chairman Maureen K. Ohlhausen said Tuesday. “This case shows that, even if you’re a fast-growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

Under the new agreement with the FTC, Uber has to do some very simple things: stop “misrepresenting how it monitors internal access to consumers’ personal information” and “misrepresenting how it protects and secures that data.” In other words, the company has to be transparent about who at the company can see where you are at all times (as you share location data with the app).

Uber also has to implement a “comprehensive privacy program” that addresses future risks with new software it implements — so if Uber implements something like a “predictive ride feature,” picking people up in locations that they’re frequently hailing a car from (this is a hypothetical); it has to evaluate how that’s going to affect customer data privacy and be transparent about it. The fine print is that within 180 days of the agreement, and then every two years after that for 20 years, the company has to submit to audits, where an outside investigator will essentially check its work and make sure everything’s good.

NEW ORLEANS, LA - FEBRUARY 19: Jay Z, Blue Ivy Carter and Beyonce Knowles attend the 66th NBA All-Star Game at Smoothie King Center on February 19, 2017 in New Orleans, Louisiana. (Photo by Theo Wargo/Getty Images)
Under the old system, Uber employees could watch VIPs move around the city. 

“Going forward, our order requires a culture of privacy and sensitivity for Uber,” Ohlhausen told reporters Tuesday. “It’s going to make them take privacy into account every day in order to comply with our provisions.”

Interestingly, the FTC’s current complaint does not apply to the company’s highly controversial, potentially illegal “greyball” tool,” which Uber employees used to evade police and local regulators in cities where they didn’t have official permission to operate.

Ohlhausen said that the FTC doesn’t reveal whether it has ongoing investigations. She also responded to several questions asking, essentially, why Uber isn’t actually paying any damages, explaining that the FTC usually can only collect financial recompense if they can prove that the consumers affected by the transgression or consumers in general suffered financial losses. In other words, an Uber exec spying on Beyoncé on the app isn’t costing the singer money, it’s just extremely, extremely creepy. Ohlhausen did say, however, that if Uber violates the terms of the current deal, it’s going to have to pay up.