Skip to main content

Your Face is for Sale! The 4 Most Interesting Things About the Proposed Update to Facebook’s Governing Documents

Written by Jake Romero

If you use Facebook (and you likely do, if only to play some game that apparently involves crushing large amounts of candy), then you received an email last week informing you that Facebook is proposing changes to its Data Use Policy and Statement of Rights and Responsibilities.  The proposed changes are largely in response to the $20 million settlement, approved last month by a federal judge, of a class action brought against Facebook in response to its use of user names and photos in “Sponsored Stories”.

In January 2011, Facebook implemented the Sponsored Stories advertising mechanism, which turned user “likes” into product endorsements.  The claim argued that Facebook did not adequately inform its users that profile photos and user names would be used by advertisers to recommend products and services.  The claim also argued that Facebook inappropriately did not give users the ability to opt out of the Sponsored Stories advertising feature and allowed the use of the likeness and photos of minors who, the claimants argued, should have automatically been opted out of the program.  Arriving just days after the approval of the settlement, the proposed changes include an interesting mix of responses and clarifications.  These are the most noteworthy:

Your face is for sale.  Under the approved settlement, Facebook agreed to pay $20 million and give its users greater “control” over the use of information by advertisers.  Facebook did not, however, agree to let its users opt out of allowing advertisers to use information entirely.  Under the revised Statement of Rights and Responsibilities, each user gives Facebook permission to use his or her name, profile picture, content and information in connection with commercial, sponsored or related content.  Facebook further clarifies that this means that businesses or other entities will pay Facebook for the ability to display user names and profile pictures.

  • Kids, be sure to ask your parents’ permission.  By using Facebook, each user under the age of 18 represents that at least one parent or guardian has agreed to Facebook’s terms, including the use of the minor’s name, profile picture, content and information by advertisers, on that minor’s behalf.
  • Your profile photo is fair game for facial recognition scanning.  Facebook scans and compares pictures in which you are tagged so that when your friends post more photos of you, it can suggest that they tag you.  The updated Data Use Policy makes it clear that your profile photo will be scanned for this purpose as well.
  • There’s a renewed emphasis on mobile phone data.  The updated policies make it clear that Facebook and, in certain cases, third-party integrated applications, will have access to a broad array of mobile data.  This includes the use of friend lists by third party mobile applications to advertise mobile applications used by an individual’s friends.  Whereas Facebook encountered substantial difficulty in implementing Sponsored Stories and similar advertising mechanisms, Facebook’s program of allowing mobile applications to market themselves as "Suggested Apps" has been a bright spot for the company’s bottom line.  Moreover, Facebook has signed on to an agreement with California Attorney General Kamala Harris that mobile applications constitute “online services” and, as such, are governed by the same disclosure and transparency regulations applicable to websites.  The clarifications related to mobile devices and applications suggest that Facebook intends to further develop the use of mobile data as a revenue stream without risking the same type of legal action.

Facebook’s proposed revisions remain open for public comment.   While the proposed revisions are unlikely to stoke the kind of furor that past changes have inspired, they remain an interesting display of the developing give-and-take between consumers and online service providers who provide a “free” service in exchange for the right to use and monetize personal data.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.