The Federal Trade Commission announced on August 10, 2012 that it has accepted as final a settlement with Facebook that resolves charges that Facebook deceived consumers by making false privacy assurances and then repeatedly allowing consumer information to be shared and made public. The FTC’s charges had included allegations that Facebook: (1) changed its website so certain information users may have designated as private was made public (without warning users this change was coming, or obtaining users’ approval in advance); (2) misrepresented the level of access to user data provided to third-party apps; (3) misrepresented that it had certified the security of participating third-party apps; (4) falsely claimed that it would not share users’ personal information with advertisers; (5) falsely claimed that when users deactivated or deleted their Facebook accounts, their user content would be inaccessible; and (6) misrepresented that it complied with the US – EU Safe Harbor Framework governing data transfers between the European Union and the United States.Under the terms of the settlement, Facebook is:
- Barred from making misrepresentations about the privacy or security of consumers’ personal information;
- Required to obtain consumers’ “affirmative express consent” before sharing their information with any third party that materially exceeds the restrictions imposed by a user’s privacy settings;
- Required to implement procedures to prevent third parties from accessing users’ information no later than 30 days after a user has deleted such information or terminated his or her account;
- Required to implement and maintain a comprehensive privacy program; and
- Required to obtain, every two years for the next 20 years, third-party audits certifying that its privacy practices are compliant with the FTC’s order.
The Commission vote to approve the final order was 3-1-1, and follows a public comment period. Commissioner J. Thomas Rosch dissented from the acceptance of the final order, questioning whether the settlement was “in the interest of the public”.
The settlement serves as a timely reminder that companies must abide by their own statements regarding how personal information is used and shared.