Facebook Agrees to Settlement with FTC – But will Anything Change?

In response to the proposed settlement with the FTC over systematic privacy infringements, material omissions regarding privacy changes, and alleged fraud for charges to verified apps that were never verified, CEO Mark Zuckerberg stated “I founded Facebook on the idea that people want to share and connect with people in their lives, but to do this everyone needs complete control over who they share with at all times.”

Perhaps that is true. After all, it was the predecessor site – Facemash – that resulted in accusations of “breaching security, violating copyrights and violating individual privacy by creating the website.” Zuckerberg decided to get out of the social media arena. “Issues about violating people’s privacy don’t seem to be surmountable,” he wrote at that point. “I’m not willing to risk insulting anyone.” But that did not last long. Shortly thereafter, Facebook was born.

According to the FTC, Facebook violations included the following:

  • In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
  • Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
  • Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
  • Facebook promised users that it would not share their personal information with advertisers. It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

Moreover, the EU is not finished with this issue. It has come under fire from states such as Ireland and Austria as well as the broader European Union. According to news reports, in January 2012, a new EU directive will be proposed to “ban targeted ads to users unless the user specifically allows it. If this new legislation is passed it would mean that every time Facebook doesn’t comply it would face substantial fines as well as serious legal action.” The potential EU action will go much further than the FTC.

Zuckerberg has elevated two Facebook attorneys to be responsible for privacy enforcement. Time will tell, however, whether the promotions will change the culture of a company that has a leader who sheds only crocodile tears over privacy violations.

Under the proposed settlement, the FTC will take some incremental steps. Facebook will be:

  • barred from making misrepresentations about the privacy or security of consumers’ personal information;
  • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

A thirty day public comment period for the existing FTC consent decree has begun. The public will have an opportunity to address the scope of the FTC response, which is substantially less than the EU proposals.

Which is the better approach? Speak up.

Interested parties can submit comments online or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.