Out-Law News 3 min. read

US regulator unclear as to Facebook's third party data sharing obligations


An agreement forged between the US Federal Trade Commission (FTC) and Facebook fails to provide clarity on the ability of the social network to share private information about users with advertisers and others without those users' consent, an expert has said.

The FTC announced late last week that it had approved a final settlement with Facebook to resolve complaints that the social networking company "deceived consumers" by sharing data about those individuals with third parties despite claiming that the consumers could keep the information private.

As part of the settlement (10-page / 30KB PDF) Facebook has agreed to obtain the "affirmative express consent" of its users to share their private information with advertisers and others in circumstances where those users' privacy setting preferences restrict the sharing of that information. However, the precise wording of the agreement means that Facebook must only obtain that consent in situations where the information sharing "materially exceeds the restrictions imposed by a user’s privacy setting(s)".

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that the FTC should outline what it means by 'materially exceeds' in order to appease Facebook users' concerns.

"One of the most interesting aspects of the FTC's order is its treatment of Facebook's interactions with third parties, including apps providers," Scanlon said. "The FTC has carefully defined the concept of a 'clear and prominent notice', stated that such notices must be provided by Facebook to users before sharing information with third parties and required Facebook to obtain user consent before doing so. At the same time though, it seems that Facebook has been able to negotiate a watering down of this obligation where its third party sharing activities do not 'materially exceed' what users have agreed to as set out in their privacy settings."

"While the Order requires Facebook to obtain the consent of users before sharing information with third parties in a manner that 'materially exceeds' the restrictions imposed by users through their privacy settings, there does not appear to be a clear obligation imposed on Facebook to obtain consent, or inform the user, where it discloses or shares information in a manner that is 'immaterially' beyond what the user has agreed to," he said. "This no doubt will leave users with an uncomfortable feeling, knowing that Facebook's compliance with their privacy settings need merely be close-enough-is-good-enough rather than take the form of a strict compliance obligation."

"The FTC really should clarify what it means by materially exceeding a user's privacy settings in order to give users certainty and avoid needless controversy over this matter," Scanlon added.

Amongst the other measures Facebook had agreed to as part of the finalised settlement is a move to "establish and implement, and thereafter maintain, a comprehensive privacy program".

The program must be "reasonably designed to address privacy risks related to the development and management of new and existing products and services for consumers, and protect the privacy and confidentiality of covered information," the agreement published by the FTC said. 'Covered information' is defined in the agreement as any information "from or about an individual consumer" and includes individuals' names, addresses, photos and IP addresses.

In addition Facebook has agreed to be subject to bi-annual privacy "assessments" by "a qualified, objective, independent third-party professional", for the next 20 years. The company has also agreed to generally prevent the access of third parties to 'covered information' that has been deleted by users from their accounts within 30 days of the erasure taking place.

The measures have been agreed in order to settle complaints (19-page / 425KB PDF) alleging that Facebook deceived users about the control they had over the privacy of their information, the FTC said.

Facebook made users' private information public without warning and without approval, according to the FTC's complaint. The social network also shared users' personal data with advertisers despite saying it would not and allowed third-party apps access to more user data than was needed in order to operate, the regulator said.

Facebook's claims that it could certify the security of verified apps was false and it did not prevent third-party apps used by users' friends from accessing data users would share with those people, despite telling them the data would be shared with 'friends only', the regulator added. Facebook also wrongly claimed that it shut off access to photos and videos on deactivated or deleted accounts and that it complied with US-EU Safe Harbor rules on the transfer of data, it said.

The FTC's settlement with Facebook was agreed despite the dissentions of one of its Commissioners.

J. Thomas Rosch said the agreement should not have been formed since Facebook had expressly denied the charges it faced. Rosch also questioned whether the agreement covered all the "deceptive practices" that Facebook and applications that run on the platform allegedly engaged in.

He said that it is "deceptive" for Facebook to have settings that would lead users to think they can restrict who can see information about their use of apps when that may not be the case, as one reporter has claimed

"I consider such inadequate disclosure to be deceptive when it occurs in the Facebook environment, irrespective of whether that failure to fully disclose stems from the conduct of the app or Facebook itself," Rosch said in his dissenting statement (3-page / 161KB PDF). "I would include language in the order to make that clear, lest Facebook argue subsequently that the Commission order only covers deceptive conduct engaged in by Facebook itself."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.