Facebook Settles Privacy Complaints with Federal Trade Commission

The Federal Trade Commission has just announced a settlement with Facebook, Inc. in connection with charges by the FTC that Facebook engaged in deceptive privacy practices. The FTC alleged that Facebook did not disclose to users that their Facebook information could be accessed by third parties without the users' explicit authorization. In particular, according to the FTC, although Facebook's privacy controls led users to believe that they could control who could see and access their profile information, platform applications could access user profile information regardless of the user's privacy settings. In addition, the FTC claimed that Facebook's privacy policies stated that applications could only access information related to the purpose of the application. In practice, however, the FTC alleged that applications could access more information than necessary to function. Furthermore, the FTC alleged that Facebook engaged in a violation of the FTC Act when it revised its privacy practices in December 2009. In particular, when Facebook announced its new practices, it claimed that users would have more control over their information. But, it did not disclose that after the revised privacy practices went into effect, they overrode users' previous privacy settings. In addition, contradictory to statements made to users by Facebook, Facebook shared user information with its advertisers without users' consent, to allow advertisers to target advertising to users based on users' profile information. Finally, the FTC claimed that Facebook failed to delete user information after a user deactivated or deleted their Facebook account, and Facebook continued to display photos and videos uploaded by the user, and did not disable third party access to such user information, even after the user deleted or deactivated his or her account, despite promises to the contrary.

The proposed settlement requires Facebook to accurately disclose the extent to which it maintains the privacy of user information, including its collection and disclosure of information, the extent to which a user can control the privacy if his or her information, the extent to which Facebook discloses information to third parties, and the steps Facebook takes to verify the privacy or security offered by third party providers. Furthermore, under the proposed settlement Facebook will be required to obtain a user's express affirmative consent before enacting changes that would override the user's existing privacy preferences, and prohibits Facebook from accessing user information more than 30 days after the user has deleted his or her account. Facebook will also be required to establish and maintain a comprehensive privacy program which addresses the concerns set forth in the FTC's complaint, and for the next 20 years must obtain a third-party audit of such privacy program to ensure compliance with the FTC's order and applicable law. Finally, Facebook will be required to maintain its records for FTC inspection in order to allow the FTC to monitor Facebook's compliance. If Facebook engages in conduct that violates the settlement, Facebook may be subject to fines of $16,000 per violation, per day.

TIP: Websites that collect and store user information should ensure that they are accurately and comprehensively disclosing how user information will be used and disclosed. Companies should also take care when making material changes to privacy practices. The terms of this settlement also serve as a reminder that the FTC expects companies to have in place comprehensive privacy programs, and the mechanisms to ensure compliance with those programs.