The Federal Trade Commission finalized a settlement with MySpace over charges that the social networking site violated the privacy of its users.

According to the agency, MySpace misrepresented how user personal information would be protected. Although its privacy policy asserted that it would not share “personally identifiable information” with third parties, the site allowed advertisers access to users' unique persistent identifier. Each user is assigned a unique persistent identifier, or “Friend ID,” which gave the advertisers access to the personal information of individual users like age, gender, profile picture, full name, and in some cases, the names of friends and their hobbies, interests, and pictures.

The transfer of the information constituted a deceptive practice in violation of Section 5 of the FTC Act, according to the agency’s complaint, filed this past May.

MySpace also certified that it complied with the U.S.-EU Safe Harbor Framework (allowing the legal transfer of personal data to the United States from the European Union) and the accompanying Safe Harbor Principles. But the FTC said that MySpace failed to comply, as it did not give its users notice of how their information would be used and the choice to opt out.

Pursuant to the settlement, MySpace is barred from future privacy misrepresentations and must institute a comprehensive privacy program that is subject to biennial assessments by independent third-party auditors for the next 20 years.

Not everyone was happy with the deal, however. During the public comment period prior to final approval of the settlement, the Electronic Privacy Information Center (EPIC) complained the terms did not go far enough. The group argued that the FTC should have emphasized the necessity of privacy safeguards for the site’s data rather than prohibiting MySpace from future deception. Specifically, the settlement should have mandated that MySpace obtain affirmative, opt-in consent, the group argued, similar to the terms of Facebook’s recent privacy settlement with the FTC.

To read the complaint and the settlement agreement in In the Matter of MySpace, click here.

To read EPIC’s comments about the settlement, click here.

Why it matters: The settlement marks the second time the agency has mandated the institution of a comprehensive privacy policy for a defendant following last year’s settlement with Google. With the agency continuing its focus on privacy-related issues, companies should ensure that they have a privacy policy from which they do not deviate.