Facebook settles privacy complaints with US regulator

Out-Law News | 30 Nov 2011 | 2:24 pm | 3 min. read

Facebook will have to obtain "affirmative express consent" from its users before imposing material changes to their privacy settings, according to the US Federal Trade Commission (FTC).

The US consumer protection regulator announced the requirement as part of a proposed settlement Facebook has agreed to address concerns about its privacy policies and procedures.

"[Facebook] shall clearly and prominently disclose to the user, separate and apart from any 'privacy policy,' 'data use policy,' 'statement of rights and responsibilities' page, or other similar document: the categories of nonpublic user information that will be disclosed to such third parties, the identity or specific categories of such third parties, and that such sharing exceeds the restrictions imposed by the privacy setting(s) in effect for the user; and obtain the user’s affirmative express consent," the settlement (10-page / 30KB PDF) said.

Under the settlement Facebook will also have to undergo compulsory bi-annual privacy audits for the next 20 years and cut off third party access to user accounts within 30 days of them being deleted, unless access is required by law or is necessary to protect the Facebook website or its users from fraud or illegal activity..

The social network is also barred from misrepresenting "the extent to which it maintains the privacy or security" of "information from or about an individual consumer", such as users' names, addresses, photos and location. Facebook will also have to "establish and maintain a comprehensive privacy program" that will help it flag up and address privacy risks associated with any new innovations and protect the privacy of users' information.

The agreed measures are open to public comment until 30 December after which the FTC will decide whether to formally accept them. The measures have been agreed in order to settle complaints (19-page / 425KB PDF) alleging that Facebook deceived users about the control they had over the privacy of their information, the FTC said.

Facebook made users' private information public without warning and without approval, the FTC said. The social network also shared users' personal data with advertisers despite saying it would not and allowed third-party apps access to more user data than was needed in order to operate, the regulator said.

Facebook's claims that it could certify the security of verified apps was false and it did not prevent third-party apps used by users' friends from accessing data users would share with those people, despite telling them the data would be shared with 'friends only', the FTC said.

Facebook also wrongly claimed that it shut off access to photos and videos on deactivated or deleted accounts and that it complied with US-EU Safe Harbor rules on the transfer of data, the FTC said.

The Safe Harbor scheme is an agreement drawn up between the European Commission and US Department of Commerce that allows for the transfer of personal data from Europe to the US where data protections meet EU standards.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said Jon Leibowitz, chairman of the FTC, in a statement. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not," he said.

Facebook chief executive Mark Zuckerberg admitted the social network had made "a bunch of mistakes" on privacy, but insisted that the company was committed to giving users "transparent" details about what information it stores about them.

"Overall, I think we have a good history of providing transparency and control over who can see your information," Zuckerberg said in a Facebook blog.

"That said, I'm the first to admit that we've made a bunch of mistakes. In particular, I think that a small number of high profile mistakes ... have often overshadowed much of the good work we've done. I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service," he said.

"Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It's important for people to think about this, and not one day goes by when I don't think about what it means for us to be the stewards of this community and their trust," Zuckerberg said.