“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users” -- Federal Trade Commission Chairman Jon Leibowitz
The Federal Trade Commission (FTC) has announced the long-rumored proposed consent decree with Facebook, settling allegations in a complaint that Facebook violated Section 5 of the FTC Act by failing to live up to representations made to consumers regarding its privacy practices. The settlement comes ahead of Facebook’s planned IPO this spring and carries no financial penalties. Importantly for Facebook, the settlement does not force Facebook to revert back to its system prior to December, 2009. Early Facebook users will remember that in those days, users could keep things and people they “liked” completely private.
Let’s take a look at what the settlement does provide. It imposes a series of measures that Facebook must undertake to better protect the privacy of its users, including the development of a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information. Surprisingly, it appears that Facebook did not have such a program.
The settlement also requires that Facebook (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree.
The FTC lists eight specific allegations in its complaint about Facebook’s privacy practices, including that Facebook:
- Changed its website so that users’ Friends Lists were made public without obtaining approval from users
- Misrepresented the level of access to user information by third-party applications
- Shared users’ personal information with advertisers
- Allowed access to the content of users who deleted their Facebook accounts
- Falsely claimed that it complied with the U.S.- EU Safe Harbor Framework
- Made false claims regarding the verification of security of developer applications through a “Verified Apps” program
The FTC’s enforcement action against Facebook is part of the growing list of the FTC’s ongoing effort to ensure that online businesses live up to the privacy promises they make to consumers.
Congressional reaction was swift. Senator John Kerry (D-MA), Chairman of the Commerce Subcommittee on Communications, Technology and the Internet, released a statement approving of the settlement, saying in part, "This settlement will help ensure that companies keep their promises to consumers and give those consumers a real voice in how their information is used, distributed, and managed. It reinforces the principle that data collectors should not hold consumer information hostage, especially after a user has terminated the service." Senator Jay Rockefeller (D-WV), a critic of Facebook, also issued a statement, but continued his call for legislation:
"Consumer privacy is a right, not a luxury. With today's settlement, Facebook agrees to end deceptive practices and undergo rigorous oversight," said Rockefeller in response to the settlement. "But this action against Facebook is just the first step toward protecting consumer privacy. Ultimately, I believe legislation is needed that empowers consumers to protect their personal information from companies surreptitiously collecting and using that personal information for profit. It's unacceptable for any company, including Facebook, to change customer privacy settings without their knowledge or consent, especially a company with 800 million users. I commend the way the FTC has used its enforcement authority to improve protections for consumers in an ever-evolving online and mobile world."