The U.S. Federal Trade Commission (‘FTC’) announced that it reached a tentative settlement with Facebook over charges that the social media company engaged in deceptive privacy practices with consumers.
But will the proposed settlement (you can read it below) really protect users in an era when tech privacy law is constantly evolving? It’s not final yet; consumers have until the end of 2011 to tell the FCC what they think about it.
This is certainly not the first time that Facebook faced challenges and concerns over the company’s privacy practices, and it’s not likely to be the last. One would think that appointing company privacy officers is a step, but Facebook has had them for years.
As the company’s privacy policies have grown, so too have the accompanying legalese and wordy text in the policies themselves. Just take a look at this intricate (and dated) Facebook privacy chart that The New York Times put together last year.
Here is a list of what the FTC alleged in its complaint:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
The FTC and Facebook say that they have agreed to a tentative settlement to stem deceptive privacy practices. The settlement will mandate ongoing reviews of the social networking company’s privacy practices over the next 20 years by independent, third-party auditors.
The proposed settlement (see below) states that Facebook would now be:
- Barred from making misrepresentations about the privacy or security of consumers’ personal information;
- Required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- Required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account;
- Required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- Required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
Facebook has faced a variety of privacy faux pas during the web company’s exponential growth:
- In 2007, Facebook’s Beacon advertising tool told users’ friends, without consent, what products they bought. The fallout from Facebook decision to make this an opt-out program by default, rather than opt-in, was predictable.
- Also in 2007, investigators at the New York Attorney General’s office discovered that when they created fictitious teenage user profiles on Facebook, they quickly received sexual advances from adults, and had little trouble finding pornographic videos and pictures. Facebook ultimately agreed to appoint an independent auditor for two (2) years to monitor safety and security, and hasten the company’s response time to user complaints about “nudity, or pornography, or harassement, or unwelcome contact” from other Facebook users.
- In May 2010, Zuckerberg scored an op-ed in The Washington Postwhere he apologized for the company’s rapid growth into “a community of more than 400 million people in just a few years…Sometimes we move too fast.”John Paczkowski correctly observed that Zuckerberg omitted from his op-ed “an apology for further loosening Facebook’s privacy safeguards or for the speed with which Facebook loosened them. In other words, it’s a comment on the execution of a policy, not on the policy itself.”
The bigger questions, however, appear to be whether this will comfort and educate consumers about how their personal information can be utilized by Facebook and the company’s advertising partners. Will users be able to understand, and also navigate Facebook’s privacy settings more easily?
How should consumers be able to make informed choices about adjusting their privacy settings — not only on Facebook — but also on other social media applications, and websites?
FTC’s Complaint against Facebook (PDF)
Tentative FTC – Facebook Settlement Agreement (PDF) [Not yet final]
