According to a press release issued yesterday, November 29, 2011, by the Federal Trade Commission, Facebook settled charges that Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”
The complaint (PDF link) lists a litany of bad practices by Facebook. One allegation that stands out, largely because of the media firestorm that it created at the time, was Facebook’s change in privacy settings to users’ accounts in December 2009. The foregoing settings change was, in the FTC’s opinion, particularly egregious because Facebook undertook the changes without any notice or consent from users.
Another allegation that stands out, again both because of the media firestorm and the falsehood, was Facebook’s assertion that information from deactivated user accounts would not be accessible.
And what grueling punishment must Facebook endure for its privacy-related bad acts? According to Jon Leibowitz, Chairman of the FTC, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users." Rough justice.
In all seriousness, there is some substance to the settlement. Facebook must not make any further deceptive privacy claims. Facebook must also get consumers' approval before it changes the way it shares their data. Finally, Facebook must obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
Frankly, the foregoing requirements on Facebook are all steps that a company like Facebook, if not substantially all companies handling consumer personal information, should be undertaking.
Specifically, under the proposed settlement, Facebook is:
- barred from making misrepresentations about the privacy or security of consumers' personal information;
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.
The proposed settlement is not yet final. The proposed settlement will be open to public comment for thirty days, ending on December 30, 2011. The terms of the proposed settlement is published in the Federal Register shortly. After the close of the comment period, the FTC will decide whether to make the proposed consent order final.
Interested in submitting your comments to the FTC? According to the press release: Interested parties can submit comments online or in paper form by following the instructions in the "Invitation To Comment" part of the "Supplementary Information" section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.