On November 29, 2011, the Federal Trade Commission (“FTC” or “Commission”) announced that it had reached a settlement with Facebook over concerns about changes to Facebook’s privacy settings that publicly exposed users’ personal information as well as other privacy practices related to information sharing by Facebook apps and between Facebook and advertisers.
Under the terms of the settlement, Facebook will be subject to independent audits of its privacy practices for the next 20 years and will be required to obtain affirmative, express consent from consumers before sharing previously collected personal information with third parties in any way that materially exceeds the restrictions imposed by a user’s privacy settings. Facebook did not have to provide any monetary compensation.
The FTC’s complaint alleges eight separate violations of the FTC Act, which prohibits deceptive and unfair acts or practices. The alleged violations include claims that Facebook’s privacy settings did not adequately allow users to control the distribution of their personal information to third parties, that changes to Facebook’s privacy policy and practices in December 2009 prevented consumers’ ability to restrict the sharing of personal information, and that Facebook shared parts of users’ profile information with advertisers. The Complaint also made allegations related to information sharing by Facebook apps, and violations of the U.S.-EU Safe Harbor Framework.
The draft consent order does not contain an admission of wrongdoing. The consent order governs “covered information” broadly defined to cover a number of different types of personal data. Facebook is ordered not to misrepresent, in any manner, the extent to which it maintains the privacy or security of covered information, the extent to which users can control the privacy of covered information or make it accessible to third parties, and the extent to which Facebook adheres to the U.S.-EU Safe Harbor.
In addition, Facebook is required to clearly and prominently display notice to users prior to sharing users’ nonpublic information with third parties in any manner that exceeds a user’s privacy settings. This notice must be separate from Facebook’s privacy policy, and must disclose the categories of nonpublic user information that will be disclosed to third parties, the identity or specific categories of these third parties, and that sharing exceeds the user’s privacy settings. Facebook will then have to obtain the user’s affirmative express consent. If sharing does not materially exceed the restrictions imposed by a user’s privacy settings, consent is not necessary.
Facebook has 60 days to implement procedures designed to ensure that covered information from deleted profiles can no longer be accessed by any third party. These procedures must ensure that information from deleted or terminated accounts cannot be accessed by any third party within 30 days of the account termination.
Facebook is also ordered to establish and maintain a comprehensive privacy program intended to address privacy risks related to the development and management of new and existing products and services and to protect the privacy and confidentiality of covered information. Facebook will be subject to biannual independent assessments for the next 20 years, with the first required within 180 days of the order.
The consent order also includes reporting and compliance provisions, requiring Facebook to file a report within 90 days setting forth the manner of its compliance with the consent order, and is required to provide to the FTC and/or retain different categories of documents, such as all widely disseminated statements that describe information sharing practices and consumer complaints, for designated periods of time.
