Facebook and the FTC announced an agreement on November 29, 2011, ending the FTC’s 18-month investigation into Facebook’s user privacy practices.  By adding Facebook to the list of major social media entities subject to an FTC consent order—a list that includes Google and Twitter—the FTC has loudly signaled its leading role in regulating the online privacy practices of businesses.  Indeed, shortly after announcing the settlement, the FTC posted a list of seven key lessons for businesses based on its recent consumer privacy enforcement actions.

The FTC’s eight-count complaint included allegations regarding Facebook’s statements about user privacy controls, including whether Facebook shared user information with third party applications, despite representations that users could control their privacy settings.  For example, a user’s personal privacy settings in some instances were ineffective against “Friends’” applications.  Additionally, the FTC alleged that Facebook engaged in retroactive privacy changes that overrode users’ previous levels of privacy in December 2009 by making certain information, such as name, profile picture, city, gender and friend list, public.  Though Facebook admitted to no wrongdoing in the settlement agreement, as Mark Zuckerberg explained in a blog post, the agreement establishes certain requirements for Facebook’s management of users’ information and privacy settings—many of which Facebook has implemented.

In the consent order, Facebook agrees that it will not misrepresent the extent to which it maintains privacy or security of “covered information” (user provided information, including name, address, e-mail address, phone number, IP address, photos and videos, or physical location).  Specifically, Facebook agreed not to misrepresent the following aspects of its privacy controls: 

  • the extent to which it maintains the privacy or security of such information in the collection or disclosure of covered information;
  • the extent to which a consumer can control the privacy of any covered information maintained by Facebook and the steps a consumer must take to implement such controls;
  • the extent to which Facebook makes or has made covered information accessible to third parties;
  • the steps Facebook takes or has taken to verify the privacy or security protections that any third party provides;
  • the extent to which Facebook makes or has made covered information accessible to any third party following deletion or termination of a user’s account with Facebook or during such time as a user’s account is deactivated or suspended; and
  • the extent to which Facebook is a member of, adheres to, complies with, is certified by, endorsed by or otherwise participates in any privacy, security or any other compliance program sponsored by the government or any third party, including but not limited to, the U.S.-EU Safe Harbor Framework.

Other highlights of the agreement include that Facebook must clearly convey what user information is “nonpublic” and the extent to which it is shared to third parties by disclosing the identity of third parties, the extent that sharing such information may exceed the boundaries of a user’s established privacy controls, and by obtaining a user’s informed consent. The agreement also limits use of a Facebook user’s covered information to a 30 day window after a user has terminated or deleted his or her account.  Facebook must also designate a comprehensive privacy program, obtain privacy audits every two years for the next 20 years, and keep certain records of its communications or policy changes regarding privacy.

Jennifer Johnson contributed to this post.