The FTC announced it has accepted a final settlement and consent agreement with Facebook. This settlement resolves the FTC's complaint that Facebook deceived consumers by telling them they could keep their information on Facebook private, yet allegedly allowing information to nevertheless be shared and made public. As part of the settlement, Facebook must give consumers "clear and prominent notice and [obtain] their express consent before sharing their information beyond their privacy settings." This consumer notice must be separate and apart from any "privacy policy," "data use policy," or other similar document. The notice must address (1) the categories of user information that will be disclosed to third parties, (2) the identity or categories of such third parties, and (3) the fact that the sharing exceeds the user's privacy settings. The order further requires Facebook to maintain a comprehensive privacy program to protect consumer information, and to allow an independent third party to audit their privacy programs every two years. The order extends until July 27, 2032, or 20 years from the most recent federal or FTC complaint alleging a violation of the order.

Tip: Keep in mind that the FTC will look not only at statements in privacy policies, but also direct, on-screen statements. Companies should thus make sure that those statements are clear and accurate. This case suggests that the FTC is particularly concerned about how user information is made public.