1. Facebook’s FTC Settlement Calls for Updated Privacy Practices, Increased Transparency

    “The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.” (Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises, Federal Trade Commission press release announcing the settlement) 

    On November 29, the Federal Trade Commission announced that it had reached a settlement with Facebook over charges that the online social network violated the privacy promises it made to users and in doing so broke federal law. The settlement, according to the FTC:

    “… is part of the agency’s ongoing effort to make sure companies live up to the privacy promises they make to American consumers. It charges that the claims that Facebook made were unfair and deceptive, and violated federal law.” (FTC press release)

    But is the FTC’s bark worse than its bite? The settlement (which has yet to be finalized) contains no fines or other penalties, nor does it require Facebook to indemnify users whose privacy was alleged to have violated. In fact, the settlement only requires Facebook to play nice going forward:

    “The proposed settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.” (FTC press release

    The implications for Facebook are clear: the FTC will be watching them—closely—for future privacy violations. But the ways in which the settlement will bolster consumer privacy and help online consumers of Facebook and other social networking sites remain to be seen. Until then, here’s an overview of the settlement, from lawyers on JD Supra:

    FTC Charges:

    “The FTC alleged that Facebook made multiple false representations to its users about how and when the information that they shared with Facebook was shared or otherwise made available to third parties… It further alleged that Facebook’s “Friends Only” privacy setting falsely communicated to users that information was restricted to a limited audience, when in fact information labeled with this setting was available to third-party applications as well. The FTC also alleged that Facebook falsely stated that it did not share users’ personal information with advertisers, falsely represented that the deactivation of a Facebook account rendered the user’s photographs and videos previously uploaded to Facebook inaccessible, and falsely claimed to be compliant with the United States – European Union Safe Harbor Framework governing data transfer.” 

    Terms of the Settlement:

    “… Facebook agreed not to make false representations to users about the privacy of their personal information, and to make numerous revisions to its privacy practices. Going forward, Facebook must, prior to any sharing of a user’s ‘nonpublic user information’ in a way that materially exceeds the restrictions imposed by a user’s privacy settings, provide notice to and obtain affirmative express consent from the user. This must be done separately and apart from the statement of any privacy or similar policy. Facebook also must establish and maintain a comprehensive privacy plan to address privacy risks, and for the next 20 years it must employ third-party auditors to evaluate Facebook’s privacy practices and provide the evaluation results to the FTC. Additionally, Facebook must make users’ information unavailable within 30 days following the deletion of a Facebook account.” (Recent Facebook Settlement Spotlights FTC Interest in Representations to Consumers Regarding Online Privacy by Wilson Sonsini Goodrich & Rosati) 

    Facebook Reaction:

    “’I’m the first to admit that we’ve made a bunch of mistakes,’ Facebook CEO Mark Zuckerberg wrote in a blog post. ‘In particular, I think that a small number of high profile mistakes…and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done.’ He also announced the creation of two chief privacy officer roles, one focused on policy and the other on products, to assist with regulatory compliance.” (Advertising and Marketing News - December 2011 by Venable LLP) 

    Early Opposition

    “… as the Commission acknowledges in the release announcing the settlement, Facebook will not, by entering in the consent agreement, be admitting or denying that it has violated the law. Moreover, if the consent agreement is consummated, the public will be deprived of actually knowing whether or not Facebook engaged in the behaviors alleged in the draft complaint. The truth in this matter is socially important and of enormous cultural moment. The degree to which Facebook respects or flaunts its own stated policies potentially impacts, not only the hundreds of millions of account holders Facebook states publicly that it has, but also the wider society.” (Letter to FTC Opposing Proposed Settlement with Facebook by William Carleton) 

    The Future of Online Privacy:

    “The FTC’s complaint and proposed order against Facebook are noteworthy because they reinforce the precedents that the FTC set in its action against Google, thereby sending the following unmistakable signals to the market:

    • The FTC will continue to hold companies to their privacy promises and apply strong injunctive relief where it finds that the promises are false;
    • The FTC continues to believe that a company must obtain affected consumers’ affirmative consent to new privacy practices applied retroactively;
    • The FTC will continue to look for and prosecute companies’ failures to abide by the principles underlying their Safe Harbor certifications;
    • The FTC has a new template for privacy settlement agreements – one that requires a “privacy by design” approach to business, as well as independent biannual audits for 20 years; and
    • The FTC is beginning to consider privacy by design as a requirement under Section 5 of the FTC Act, which prohibits unfair and deceptive acts and practices.”

    (Proposed Settlement with Facebook Underscores the FTC’s Privacy Priorities by Morrison & Foerster LLP) 

    —-

    Follow Privacy Law updates on: LinkedIn | Twitter

Notes

  1. law-news posted this