Facebook, FTC Settle over Privacy Deceptions
Social Network Names Two Chief Privacy OfficersFacebook has reached a tentative settlement with the Federal Trade Commission on accusations that it deceived consumers that their private information on the social network would remain private when it wasn't, the FTC said Tuesday.
See Also: Data Privacy Compliance and Third-Party Management: A Unified Approach
Under the proposed settlement, Facebook promised to take a number of steps to live up to its promises, including giving consumers clear and prominent notice and obtaining express consent before their information is shared beyond the privacy settings they have established. There were no financial penalties.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," FTC Chairman Jon Leibowitz said in announcing the proposed settlement. "Facebook's innovation does not have to come at the expense of consumer privacy."
In a blog Tuesday, Facebook Founder Mark Zuckerberg announced the creation of two chief privacy officer posts, one for policy and the other for products. "These two positions will further strengthen the processes that ensure that privacy control is built into our products and policies," he said.
Zuckerberg tapped Erin Egan, a lawyer specializing in global privacy and data security who recently joined Facebook, as CPO for policy, and Michael Richter, Facebook's chief privacy counsel, as CPO for products.
Notwithstanding the FTC charges that Facebook violated members' privacy, Zuckerberg maintained the social network has had a good history of providing transparency and control over who can see members' information. "That said," he wrote, "I'm the first to admit that we've made a bunch of mistakes. In particular, I think that a small number of high-profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done." (Beacon allowed a member's action on an advertiser's website to be posted in their Facebook news feed without explicit permission from the member.)
Many of the actions the FTC ordered to assure members' privacy have already been accomplished, Zuckerberg said.
The proposed settlement, which the FTC approved by a 4-0 vote, bars Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
Congressional Action Mulled
Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., characterized the proposed settlement as just the first step toward protecting consumer's online privacy. "Ultimately," he said in a statement, "legislation is needed that empowers consumers to protect their personal information from companies surreptitiously collecting and using that personal information for profit. It's unacceptable for any company, including Facebook, to change customer privacy settings without their knowledge or consent, especially a company with 800 million users."
Under the proposed settlement, according to the FTC, Facebook is prohibited from making misrepresentations about the privacy or security of consumers' personal information. Facebook also is to:
- Get consumers' affirmative express consent before enacting changes that override their privacy preferences.
- Prevent anyone from accessing a user's material no more than 30 days after the user has deleted his or her account.
- Established and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services and to protect the privacy and confidentiality of consumers' information.
- Obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order and to ensure that the privacy of consumers' information is protected within 180 days and every two years thereafter for the next two decades.
FTC: What Facebook Should Not Have Done
Two years ago, the FTC said, Facebook changed its website so certain information that users may have designated as private - such as their Friends List - was made public. Facebook neither notified users that this change was coming nor get their approval in advance. The FTC said Facebook represented that user-installed third-party apps would have access only to user information that they needed to operate. In fact, the commission said, the apps could access nearly all of users' personal data, data the apps didn't need. Among other privacy violations, the FTC alleged, Facebook:
- Told users they could restrict sharing of data to limited audiences, for example with friends only. Selecting friends only didn't prevent their information from being shared with third-party applications their friends used.
- Had a verified-apps program and claimed it certified the security of participating apps. It didn't.
- Promised users that it would not share their personal information with advertisers. It did.
- Claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Maintained that it complied with the U.S.- European Union Safe Harbor Framework that governs data transfer between the U.S. and the EU. It didn't.
The FTC began looking into Facebook's privacy practices after the Electronic Privacy Information and a coalition of consumer groups filed a complaint. The agreement will be subject to public comment for 30 days, beginning Tuesday and continuing through Dec. 30, after which the FTC will decide whether to make the proposed consent order final.