The Federal Trade Commission (FTC) announced last week that Facebook has settled charges that it deceived consumers by making false privacy assurances, and then repeatedly allowing consumer information to be shared and made public. The settlement serves as a timely reminder that companies must abide by their own statements regarding how personal information is used and shared.
Under the terms of the settlement, Facebook is:
- Barred from making misrepresentations about the privacy or security of consumers’ personal information;
- Required to obtain consumers’ “affirmative express consent” before enacting changes that override their privacy preferences;
- Required to implement procedures to prevent third parties from accessing users’ information no later than 30 days after a user has deleted such information or terminated his or her account;
- Required to implement and maintain a comprehensive privacy program; and
- Required to obtain, every two years for the next 20 years, third-party audits certifying that its privacy practices are compliant with the FTC’s order.
The FTC lists eight specific allegations about Facebook’s information practices in its complaint accompanying the settlement. Among these allegations were claims that Facebook: (1) changed its website so certain information users may have designated as private was made public (without warning users this change was coming, or obtaining users’ approval in advance); (2) misrepresented the level of access to user data provided to third-party apps; (3) misrepresented that it had certified the security of participating third-party apps; (4) falsely claimed that it would not share users’ personal information with advertisers; (5) falsely claimed that when users deactivated or deleted their Facebook accounts, their user content would be inaccessible; and (6) misrepresented that it complied with the US – EU Safe Harbor Framework governing data transfers between the European Union and the United States.
The settlement agreement will be subject to public comment until December 30, 2011, after which the FTC will decide whether to make the proposed settlement agreement final.
If you have any questions about this development or other technology law or privacy law questions, please contact Glen Westerback at 212.826.5563 or email@example.com, Terri Seligman at 212.826.5580 or firstname.lastname@example.org, or any other member of the Frankfurt Kurnit Technology, eCommerce and Privacy Group or Frankfurt Kurnit Advertising Group.