Facebook has agreed to settle the Federal Trade Commission’s eight-count complaint in which the FTC charged that the social networking service, which is widely used by libraries, had deceived consumers by promising to keep their information private and then repeatedly making it public.
“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, chairman of the FTC said in a statement.. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”
Facebook’s privacy practices were the subject of complaints filed in 2009 and 2010 with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups.
Under the proposed settlement, Facebook is:
- barred from making misrepresentations about the privacy or security of consumers’ personal information;
- required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
In a blog post, Facebook founder and Chief Executive Mark Zuckerberg said “he was the first to admit that we’ve made a bunch of mistakes.” He added::
“For Facebook, this means we’re making a clear and formal long-term commitment to do the things we’ve always tried to do and planned to keep doing — giving you tools to control who can see your information and then making sure only those people you intend can see it.”
Zuckerberg also announced the creation of two new corporate officer roles: chief privacy officer of policy and chief privacy officer of products.
The agreement, which was accepted by the FTC on a 4-0 vote, will be subject to public comment through December 30, 2011, after which the Commission will decide whether to make the proposed consent order final. Each violation of a final order faces a fine of up to $16,000.
The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook claimed it had a “Verified Apps” program it used to certify the security of certain apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.