Facebook is again facing controversy over proposed changes to the site’s Data Use Policy that critics argue may result in privacy violations for users.

The night before Thanksgiving the social networking site sent an e-mail to users to inform them of three pending changes, including a proposal that would end the user voting system for policy changes, implement new filters for incoming messages, and, most controversially, introduce a plan to share data with the affiliate Instagram, which it recently acquired.

With respect to the incoming message change, the proposal would eliminate the mechanism that allows users to control who can send them messages through Facebook. Consumer groups have noted that removing users’ ability to prevent the receipt of unwanted messages may give rise to an invasion of privacy and security, as it could increase the amount of spam that users receive.

The proposed data-sharing between affiliates immediately raised a reaction similar to when Google set off a firestorm by attempting to aggregate information between its services like Gmail and YouTube.

Consumer groups like the Center for Digital Democracy and the Electronic Privacy Information Center said the changes would violate the terms of Facebook’s recent consent order with the Federal Trade Commission. In that case, the social networking site settled allegations by the agency that it made user information public by default even though it promised to keep the information private. Facebook also agreed to give users clear and prominent notice and obtain their express consent before sharing information beyond their privacy settings, including with third parties, and establish a comprehensive privacy program subject to audit. Here, the decision to combine user profiles and share data with affiliate sites like Instagram could pose privacy concerns, as users are arguably more vulnerable to attack from hackers and identity thieves.

In a letter to Facebook CEO Mark Zuckerberg, the consumer groups urged Facebook to withdraw the proposed changes, arguing that the “proposed changes raise privacy risks for users, may be contrary to law, and violate your previous commitments to users about site governance.”

Facebook spokesman Andrew Noyes addressed the data-sharing with affiliates in a written statement: “As our company grows, we acquire businesses that become a legal part of our organization. Those companies sometimes operate as affiliates. We wanted to clarify that we will share information with our affiliates and vice versa to help improve our services and theirs.”

To read the letter from EPIC and CDD to Facebook, click here.

Why it matters: Although Facebook has faced more serious allegations of privacy violations in the past (like the FTC case), the incident has done little to improve Facebook’s reputation with respect to how it treats the privacy of its users. Ill-will towards the social networking site was exacerbated by the timing of the announcement during the holiday, which contributed to the impression that the site was attempting to sneak changes past users. Companies should proceed with caution before making changes to their privacy practices, particularly when they have a settlement with the FTC in place, as violating a consent order can result in harsh penalties. Google recently settled with the FTC for violating the terms of its consent order in a privacy case with the agency – resulting in a record $22.5 million fine.