By Bob Scott
The Federal Trade Commission (FTC) and Facebook announced a settlement of allegations that Facebook did not comply with its own written and advertised policies as to how it protected and used personal information at Facebook users’ pages. Facebook did not admit any wrongdoing, but agreed to a set of detailed privacy practices that incorporate privacy by design, as well as elements of pending federal legislation.
Announcing the settlement with the FTC, Facebook founder Mark Zuckerberg posted a blog entry in which he acknowledged that “a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done” to protect user’s information.
The terms of settlement include Facebook’s commitments to:
- accurately represent “the extent to which it maintains the privacy or security of covered information”;
- clearly and prominently disclose any changes, and to obtain affirmative express consent, prior to sharing nonpublic Facebook user information with any third party in a manner that materially exceeds the restrictions the user has chosen through privacy settings;
- adopt “procedures reasonably designed to ensure that covered information cannot be accessed by any third party” no more than 30 days after the user has deleted the information or terminated the account;
- establish and implement a comprehensive privacy program, reasonably designed to address privacy risks and to protect covered information, with controls and procedures that are appropriate to Facebook’s size, complexity, activities, and the sensitivity of the information it collects:
- The detailed requirements for this program incorporate elements of the FTC’s Privacy Report released December 2010, which we summarized here.
- The required privacy program also incorporates elements contained in the Personal Data Privacy and Security Act introduced earlier this year by Senator Leahy (D. Vermont). The most far-reaching of these may be the requirement that Facebook develop and use reasonable steps to use service providers (undefined) that are capable of appropriately protecting the privacy of covered information, and contractually requiring service providers to implement and maintain appropriate privacy protections as well;
- maintain detailed records of compliance with these terms, and to submit to independent privacy audits every two years for twenty years to demonstrate compliance.
The settlement tracks the FTC’s recent Google Buzz settlement. However, unlike the Google settlement, the sheer magnitude of Facebook’s online presence, and the depth of its relationships with “service providers” who must also satisfy the settlement’s base line, gives the terms of Facebook’s settlement significant weight as de facto industry standards for FTC compliance.