- Violation: Again, the FTC alleged that by providing advertisers with a user’s FriendID, Myspace indirectly allowed advertisers to identify users and access their PII.
- Violation: The FTC alleged that when Myspace provided a user’s FriendID to an advertiser, which indirectly allowed the advertiser to access the user’s PII, the advertiser can link the PII to tracking cookies it places on the user’s computer that allow the advertiser to track a user’s web browsing activity.
- Violation: The FTC alleged that Myspace failed to provide the requisite notice and choice under the U.S.-E.U. Safe Harbor by failing to provide notice or choice regarding the use of the users’ PII.
The Agreement and Consent Order
To resolve the FTC’s complaint and allegations listed above, Myspace and the FTC entered into an Agreement and Consent Order (FTC Order). The FTC Order requires Myspace to take the following actions to remedy its currently inadequate procedures related to how it protects and manages user PII, and how it discloses those procedures to users:
- Myspace shall not misrepresent the extent to which it maintains and protects the privacy and confidentiality of user PII, including the purposes for which it collects and discloses PII and the extent to which it makes or has made PII accessible to third parties.
- Myspace shall not misrepresent the extent to which it is a member of, adheres to, complies with, is certified by, is endorsed by or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or other entity, including the U.S.-E.U. Safe Harbor Framework.
Myspace must establish and maintain a comprehensive privacy program that is reasonably designed to address privacy risks and protect the privacy and confidentiality of PII, including:
- designating an employee or employees to coordinate and be responsible for the privacy program;
- indentifying reasonably foreseeable and material risks of disclosing PII; ◦designing and implementing reasonable privacy controls and procedures;
- developing and using reasonable steps to select and retain service providers capable of appropriately protecting the privacy of PII they receive from Myspace and requiring those service providers to implement their own privacy protections; and
- evaluating and adjusting Myspace’s privacy program in light of its findings as a result of its new privacy controls and procedures or due to changes in Myspace’s business.
- Myspace is required to obtain an initial and subsequent biennial assessment and report from a qualified and independent third-party professional that is approved by the FTC. Myspace must undergo the first assessment within 180 days of the FTC Order, and additional assessments each two-year period for twenty years thereafter.
- Myspace must maintain and make available to the FTC, for a period of five years, a copy of all widely disseminated statements that describe Myspace’s privacy protections, consumer complaints relating to conduct prohibited by the FTC Order, subpoenas relating to Myspace’s compliance with the FTC Order, documents questioning Myspace’s compliance with the FTC Order, and all materials relied on by the third party in preparing its assessments.
- Myspace must deliver a copy of the FTC Order to various parties, including all current and former employees, directors, and officers.
- Myspace must notify the FTC at least thirty (30) days before any change in the corporation that may affect Myspace’s compliance obligations, including various change of control scenarios such as a merger or sale of the company.
Keeping the FTC Out of Your Space
Don’t Let Default Be Your Fault. Much of the FTC’s complaint focused on Myspace’s default settings which displayed a user’s full name on their profile page. When advertisers obtained the FriendID from Myspace, they were almost certainly then given access to the user’s full name because of the default setting. You should examine your default settings to ensure that your users are not disclosing PII to third parties unless they have expressly agreed to do so, and unless it is absolutely necessary. Ensuring that you maintain a high level of privacy protection under your default settings may prevent third parties from indirectly accessing users’ PII. Default settings should be reviewed each time that new functionality is added, technical solutions or plug-ins are changed, and at least annually.