The Federal Trade Commission (FTC) recently agreed upon a settlement with Myspace LLC, operator of Myspace.com, regarding the company’s privacy practices. In its six-count complaint, the FTC accused Myspace of several unfair and deceptive practices related to its disclosure of user information, including a claim that the company misled its users about the extent to which it shared their information with advertisers. As a result of the settlement, Myspace is banned from making misrepresentations about its privacy practices and has agreed to institute a comprehensive privacy program.

The FTC’s complaint primarily focused on Myspace’s use of the “Friend ID,” a persistent unique identifier attached to each Myspace profile. A profile displays information such as a user’s age, gender, picture, display name, and full name. According to the FTC, Myspace’s privacy policy indicated that it did not share personally identifying information with third parties or in manners inconsistent with the purposes for which the information was submitted.  However, the FTC alleged that the Friend ID was shared with advertisers when users visited particular pages on the website. Further, the FTC complaint stated that Myspace’s privacy policy indicated that it only permitted advertisers to have access to anonymized data when, in reality, once the Friend ID was shared, advertisers could tie a user’s profile information to the user’s web-browsing history and use tracking cookies to compile information related to a specific user.  Finally, the FTC alleged that Myspace falsely represented that it complied with the US-EU Safe Harbor Framework while it was actually violating the Notice and Choice principles of the Framework based on the behaviors detailed above. Specifically, the complaint alleges that Myspace was not providing users with adequate notice of its data sharing policies to permit them to make informed choices about the use of their information.

As part of the settlement, Myspace is prohibited from misrepresenting the extent to which it protects consumer information, especially with respect to the practices described above. Myspace must also implement a comprehensive privacy program to adequately protect consumer information. In addition to requiring more privacy controls, the FTC has also imposed auditing and reporting requirements to ensure compliance.

All website operators collecting user information should be aware of the FTC’s settlement with Myspace as it serves as yet another sign of the FTC’s views on data collection and privacy policies. Additionally, it reinforces the FTC’s preference for privacy by design, whereby privacy considerations are built into a company’s business model and companies have individuals and programs designated to protect consumer information. It is also an indication of the importance of ensuring that a company’s privacy policy is accurate so that consumers are properly informed about a company’s privacy practices. Failure to adhere to a company’s own privacy policy can lead to an action by the FTC based on unfair and deceptive business practices.