Skip to main content

FTC Warns: Practice What You Promise - Part 1

The Federal Trade Commission has issued yet another warning to companies operating online:  make sure your privacy policy is not making promises that you cannot (or do not) keep.

Recently, the FTC entered into an agreement with Myspace and issued a consent order to settle a complaint it filed against the social networking website. This post examines the important components of the FTC complaint, focusing on how Myspace indirectly shares its users’ personally identifiable information (PII) in violation of its own privacy policy, and the FTC consent order, which provides yet another road map for companies to stay on the “right” side of the privacy road.   Key takeaways are in Part 2.

The Complaint

Specifically, the FTC alleged that Myspace’s actions contradicted its own privacy policy in the following ways:

Myspace Policy: Myspace’s privacy policy represents that it will not share users’ PII except as described in its privacy policy, including sharing that information with third parties, without first giving notice to and receiving permission from that user.
  Violation: The FTC alleged, however, that Myspace violated its own privacy policy by providing the “FriendID” of its users to third-party advertisers. Advertisers could then use the FriendID to access a user’s Myspace profile page and obtain the user’s PII, which generally included the user’s full name.
Myspace Policy: Myspace’s privacy policy promises users that the means through which it customizes ads does not allow advertisers to access PII or individually identify users.
  Violation: Again, the FTC alleged that by providing advertisers with a user’s FriendID, Myspace indirectly allowed advertisers to identify users and access their PII.
Myspace Policy: Myspace’s privacy policy represents that users’ web browsing activity shared with advertisers is anonymized.
  Violation: The FTC alleged that when Myspace provided a user’s FriendID to an advertiser, which indirectly allowed the advertiser to access the user’s PII, the advertiser can link the PII to tracking cookies it places on the user’s computer that allow the advertiser to track a user’s web browsing activity.
Myspace Policy: Myspace claims in its privacy policy that it is compliant with the U.S.-E.U. Safe Harbor Framework which requires Myspace to provide users with notice regarding the purposes which it collects and uses information about the users, and choice regarding whether a user’s PII is to be disclosed to a third party or used for a purpose which is incompatible for which it was originally collected.
  Violation: The FTC alleged that Myspace failed to provide the requisite notice and choice under the U.S.-E.U. Safe Harbor by failing to provide notice or choice regarding the use of the users’ PII.

The result of the FTC’s analysis of each of these “misstatements” in the Myspace privacy policy was an FTC finding that Myspace made misrepresentations to its users and the allegation in the Complaint that Myspace’s actions on this front were false and misleading and constituted unfair and deceptive business practices under the FTC Act.

The Agreement and Consent Order

To resolve the FTC’s complaint and allegations listed above, Myspace and the FTC entered into an Agreement and Consent Order (FTC Order). The FTC Order requires Myspace to take the following actions to remedy its currently inadequate procedures related to how it protects and manages user PII, and how it discloses those procedures to users:

  • Myspace shall not misrepresent the extent to which it maintains and protects the privacy and confidentiality of user PII, including the purposes for which it collects and discloses PII and the extent to which it makes or has made PII accessible to third parties.
  • Myspace shall not misrepresent the extent to which it is a member of, adheres to, complies with, is certified by, is endorsed by or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or other entity, including the U.S.-E.U. Safe Harbor Framework.
  • Myspace must establish and maintain a comprehensive privacy program that is reasonably designed to address privacy risks and protect the privacy and confidentiality of PII, including:
    • designating an employee or employees to coordinate and be responsible for the privacy program;
    • identifying reasonably foreseeable and material risks of disclosing PII;
    • designing and implementing reasonable privacy controls and procedures;
    • developing and using reasonable steps to select and retain service providers capable of appropriately protecting the privacy of PII they receive from Myspace and requiring those service providers to implement their own privacy protections; and
    • evaluating and adjusting Myspace’s privacy program in light of its findings as a result of its new privacy controls and procedures or due to changes in Myspace’s business.
  • Myspace is required to obtain an initial and subsequent biennial assessment and report from a qualified and independent third-party professional that is approved by the FTC. Myspace must undergo the first assessment within 180 days of the FTC Order, and additional assessments each two-year period for twenty years thereafter.
  • Myspace must maintain and make available to the FTC, for a period of five years, a copy of all widely disseminated statements that describe Myspace’s privacy protections, consumer complaints relating to conduct prohibited by the FTC Order, subpoenas relating to Myspace’s compliance with the FTC Order, documents questioning Myspace’s compliance with the FTC Order, and all materials relied on by the third party in preparing its assessments.
  • Myspace must deliver a copy of the FTC Order to various parties, including all current and former employees, directors, and officers.
  • Myspace must notify the FTC at least thirty (30) days before any change in the corporation that may affect Myspace’s compliance obligations, including various change of control scenarios such as a merger or sale of the company.

Key takeaways for any company are in Part 2.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.