By Bob Scott

The Federal Trade Commission (FTC) and Facebook announced a settlement of allegations that Facebook did not comply with its own written and advertised policies as to how it protected and used personal information at Facebook users’ pages. Facebook did not admit any wrongdoing, but agreed to a set of detailed privacy practices that incorporate privacy by design, as well as elements of pending federal legislation.

The FTC’s investigation stemmed from Facebook’s November 2009 modification of its privacy policy, which allowed certain user profile information to be seen by the public. Facebook also allowed some third party applications and advertisers to access personal user information. In simple terms, the FTC’s draft complaint alleged that Facebook’s privacy practices did not match its stated policies, so that Facebook users were not accurately and meaningfully informed about the extent to which personal information would be shared by Facebook with third parties. The FTC characterized the detailed allegations as deceptive and unfair acts and practices prohibited by Section 5 of the Federal Trade Commission Act.

Announcing the settlement with the FTC, Facebook founder Mark Zuckerberg posted a blog entry in which he acknowledged that “a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done” to protect user’s information.

The terms of settlement include Facebook’s commitments to:

  • accurately represent “the extent to which it maintains the privacy or security of covered information”;
  • clearly and prominently disclose any changes, and to obtain affirmative express consent, prior to sharing nonpublic Facebook user information with any third party in a manner that materially exceeds the restrictions the user has chosen through privacy settings;
  • adopt “procedures reasonably designed to ensure that covered information cannot be accessed by any third party” no more than 30 days after the user has deleted the information or terminated the account;
  • establish and implement a comprehensive privacy program, reasonably designed to address privacy risks and to protect covered information, with controls and procedures that are appropriate to Facebook’s size, complexity, activities, and the sensitivity of the information it collects:
    • The detailed requirements for this program incorporate elements of the FTC’s Privacy Report released December 2010, which we summarized here.
    • The required privacy program also incorporates elements contained in the Personal Data Privacy and Security Act introduced earlier this year by Senator Leahy (D. Vermont). The most far-reaching of these may be the requirement that Facebook develop and use reasonable steps to use service providers (undefined) that are capable of appropriately protecting the privacy of covered information, and contractually requiring service providers to implement and maintain appropriate privacy protections as well;
  • maintain detailed records of compliance with these terms, and to submit to independent privacy audits every two years for twenty years to demonstrate compliance.

The settlement tracks the FTC’s recent Google Buzz settlement. However, unlike the Google settlement, the sheer magnitude of Facebook’s online presence, and the depth of its relationships with “service providers” who must also satisfy the settlement’s base line, gives the terms of Facebook’s settlement significant weight as de facto industry standards for FTC compliance.