FTC Announces Settlement with Facebook

Given the FTC’s recent consent decrees with Google and Twitter and associated audit and record-keeping obligations, the FTC now effectively has regulatory oversight over the privacy and data security practices of the three most prominent social networking companies in the United States.

The FTC’s complaint (PDF) alleges that Facebook violated Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, by repeatedly failing to live up to the privacy promises it made to its now approximately 750 million users. The complaint sets forth the following instances in which Facebook allegedly made unfair or deceptive promises concerning its privacy practices:

• Deceptive Privacy Settings:  Although Facebook informed users that they could “control who can see” their profile information by using privacy settings to restrict access to their profiles, these settings did not prevent certain third party applications from accessing users’ profile information.

• Unfair and Deceptive Privacy Changes:  Facebook made changes to its website that made public information that users previously designated as private, without adequate notice to the users (much like what was alleged in the Google Buzz consent decree).

• Deception Regarding Application Access:  Facebook represented to users that third-party applications would only be able to access such user profile information that was necessary to operate the application, but in some instances applications were given nearly unlimited access to users’ profile information.

• Deception Regarding Sharing with Advertisers:  Facebook promised that it would not share users’ information with third-party advertisers, but it provided advertisers with information about its users.

• Deception Regarding “Verified Apps” Program:  Facebook claimed that it verified the security of applications that sought certification through the “Verified Apps” program, but it took no steps to verify the security of a “Verified” application beyond those which it may have taken regarding any other application.

• Deception Regarding Deletion of User Content:  Facebook represented to its users that their profile information, including photos and videos, would be inaccessible upon the deletion of their accounts, but Facebook continued to allow third parties to access this content after the users’ accounts were deleted or deactivated.

The FTC’s enforcement action against Facebook is yet another example of the FTC’s ongoing effort to ensure that websites live up to the privacy promises they make to consumers. Jon Leibowitz, Chairman of the FTC, remarked that “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” and noted that the “FTC action will ensure” that Facebook’s innovations will not come at the expense of consumer privacy.

US-EU Safe Harbor Framework Violations

The alleged violations of Section 5 of the FTC Act also include a failure to comply with the substantive privacy requirements of the US-EU Safe Harbor Framework ("Safe Harbor").  The Safe Harbor is a voluntary framework that allows companies to transfer personal data from the EU to the US in compliance with EU law.  Since at least 2009, Facebook has maintained self-certification with the Department of Commerce under the Safe Harbor program, under which it has declared its compliance with the seven Safe Harbor privacy principles in its public Privacy Policy and on the US Department of Commerce website.  In its complaint, the FTC alleged that Facebook, due to the failure to live up to many of the representations it made about its privacy practices, failed to comply with the Safe Harbor principles of Notice and Choice that required it to inform individuals about all the purposes for which it collected their data and to give those individuals a choice about how their information would be used.  

Terms of Proposed Settlement 

Under the consent decree (PDF), the FTC bars Facebook from further misrepresenting its privacy practices and requires it to: (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) establish and maintain a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information; and (iv) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree. 

In advance of the FTC’s announcement, Mark Zuckerberg, founder and CEO of Facebook, today posted an entry on The Facebook Blog detailing the measures that Facebook will take to protect the privacy of its users. These measures include the creation of two new corporate officer roles:  Chief Privacy Officer – Policy, and Chief Privacy Officer – Products. Zuckerberg stated that the new corporate officer positions “will further strengthen the processes that ensure that privacy control is built into our products and policies.”

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells’ Washington, DC office

Authored by Steven Spagnolo