Even judging by the low standards of creepy data-mining apps, "Brightest Flashlight" did something pretty egregious. The free app, which was installed by at least 50 million Android users, transmitted users' real-time locations to ad networks and other third parties. It was, in other words, a stalking device disguised as a flashlight.

In December, the Federal Trade Commission exposed the app's antics and also announced a proposed settlement with the app maker, GoldenShores Technologies, a one-man operation based in Idaho. In doing so, the agency explained how Brightest Flashlight used legal flim-flam in a privacy policy and user license agreement to obscure what the app was up to. The terms are now final, and they're underwhelming, to put it mildly.

In a Wednesday announcement, the FTC confirmed that GoldenShores and owner Erik Geidl are not to collect app users' geolocation without clearly explaining how and why they're doing so and, in broad terms, say who is receiving that information. The flashlight app maker will also have to keep records for the FTC to inspect, and Geidl will have to tell the agency about any new businesses he decides to start in the next 10 years. He also has 10 days as of the order to delete all the data he collected. On paper, the order looks like stern stuff but, in practice, it's hard to see how this amounts to real punishment. Even though Geidl did something deeply unethical, compromising the privacy of tens of millions of people, he will not pay a cent for his misdeeds.