On Tuesday, the Federal Trade Commission announced a proposed settlement with Facebook, the world’s largest social media site, in connection with an FTC complaint alleging that Facebook repeatedly deceived consumers by promising to keep certain personal information private and failing to do so. The settlement suggests that the FTC may continue to focus on privacy-related enforcement actions into the New Year.
Among other things, the complaint alleged that Facebook made privacy misrepresentations in connection with the 2009 revamping of its privacy model. The complaint also alleged that:
- without notice or consent, Facebook changed its privacy features to allow private information – such as Friends Lists – to be publicly available;
- although Facebook represented that users could restrict sharing of data to limited groups (e.g., "Friends Only"), such information was shared with third-party apps;
- Facebook shared personal information with advertisers while promising not to do so; and
- Facebook continued to allow access to pictures and videos after user accounts were deleted or deactivated.
The proposed settlement bars Facebook from making deceptive privacy claims, requires Facebook to obtain user consent before changing privacy features and requires Facebook to submit to privacy compliance audits over the next 20 years. In addition, under the proposed settlement, Facebook must prevent access to user content after an account has been deleted and establish and maintain a comprehensive privacy program to address privacy risks related to the development and management of new and existing products and services. Notwithstanding the allegations, the proposed settlement does not constitute an admission by Facebook as to any violations of law.
In a blog post in response to the settlement, Facebook CEO Mark Zuckerberg outlined recent modifications to Facebook’s privacy policies designed to address privacy concerns. Zuckerberg further announced that the role of Facebook’s Chief Privacy Officer will be split into two distinct positions to address matters related to policy and products.
The Facebook settlement is evidence of a greater effort by the FTC to hold social media companies accountable for allegedly deceptive privacy practices. Specifically, the FTC recently settled an action with Twitter concerning its data security practices and actions with the operator of www.skidekids.com and the application provider W3 Innovations, LLC in connection with violations of the Children’s Online Privacy Protection Act.
The FTC will accept public comments on the proposed Facebook settlement through December 30, 2011. Thereafter the FTC will decide whether to make the order final.