On November 29, 2011, the Federal Trade Commission (“FTC” or “Commission”) announced that it had reached a settlement with Facebook over concerns about changes to Facebook’s privacy settings that publicly exposed users’ personal information as well as other privacy practices related to information sharing by Facebook apps and between Facebook and advertisers.
Under the terms of the settlement, Facebook will be subject to independent audits of its privacy practices for the next 20 years and will be required to obtain affirmative, express consent from consumers before sharing previously collected personal information with third parties in any way that materially exceeds the restrictions imposed by a user’s privacy settings. Facebook did not have to provide any monetary compensation.
The draft consent order does not contain an admission of wrongdoing. The consent order governs “covered information” broadly defined to cover a number of different types of personal data. Facebook is ordered not to misrepresent, in any manner, the extent to which it maintains the privacy or security of covered information, the extent to which users can control the privacy of covered information or make it accessible to third parties, and the extent to which Facebook adheres to the U.S.-EU Safe Harbor.
Facebook has 60 days to implement procedures designed to ensure that covered information from deleted profiles can no longer be accessed by any third party. These procedures must ensure that information from deleted or terminated accounts cannot be accessed by any third party within 30 days of the account termination.
Facebook is also ordered to establish and maintain a comprehensive privacy program intended to address privacy risks related to the development and management of new and existing products and services and to protect the privacy and confidentiality of covered information. Facebook will be subject to biannual independent assessments for the next 20 years, with the first required within 180 days of the order.
The consent order also includes reporting and compliance provisions, requiring Facebook to file a report within 90 days setting forth the manner of its compliance with the consent order, and is required to provide to the FTC and/or retain different categories of documents, such as all widely disseminated statements that describe information sharing practices and consumer complaints, for designated periods of time.