The FTC announced today that it had settled a matter with Facebook related to its privacy practices. Among the allegations made by the FTC in the complaint were:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
The proposed consent decree requires Facebook to not make misrepresentations regarding a number of topics, including:
A. its collection or disclosure of any covered information;
B. the extent to which a consumer can control the privacy of any covered information maintained by Respondent and the steps a consumer must take to implement such controls;
C. the extent to which Respondent makes or has made covered information accessible to third parties;
D. the steps Respondent takes or has taken to verify the privacy or security protections that any third party provides;
E. the extent to which Respondent makes or has made covered information accessible to any third party following deletion or termination of a user’s account with Respondent or during such time as a user’s account is deactivated or suspended; and
F. the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any third party, including, but not limited to, the U.S.-EU Safe Harbor Framework.
It also requires separate disclosures and affirmative express consent, as well as other requirements, regarding the sharing of user’s nonpublic user information that “materially exceeds” the restrictions of the privacy settings set by the users, has data deletion requirements if users choose to remove data, as well as the implementation of a comprehensive privacy program, as well as reporting.
While the Facebook consent decree is similar in some ways to the FTC’s prior agreements, the requirements regarding separate disclosures and affirmative express consent mark a departure in some ways from the obligations previously imposed as part of privacy consent decrees.
The press release, complaint, and consent can be found at these links.