Facebook settles privacy issues according to FTC press release
- Sent on behalf of peter@...
The social networking service Facebook has agreed to settle Federal Trade
Commission charges that it deceived consumers by telling them they could
keep their information on Facebook private, and then repeatedly allowing it
to be shared and made public. The proposed _settlement_
SvQ2PFzrGUUH8KT+CEBow3RJ) requires _Facebook_
+frQjrgY9Z5Y4DGj11) to take several steps to make sure it lives up to its
promises in the future, including giving consumers clear and prominent
notice and obtaining consumers' express consent before their information is
shared beyond the privacy settings they have established.
The FTC's eight-count _complaint_
Gj11) against Facebook is part of the agency's ongoing effort to make
sure companies live up to the privacy promises they make to American
consumers. It charges that the claims that Facebook made were unfair and deceptive,
and violated federal law.
"Facebook is obligated to keep the promises about privacy that it makes to
its hundreds of millions of users," said Jon Leibowitz, Chairman of the
"Facebook's innovation does not have to come at the expense of consumer
privacy. The FTC action will ensure it will not."
The FTC complaint lists a number of instances in which Facebook allegedly
made promises that it did not keep:
* In December 2009, Facebook changed its website so certain
information that users may have designated as private – such as their Friends List –
was made public. They didn't warn users that this change was coming, or
get their approval in advance.
* Facebook represented that third-party apps that users' installed
would have access only to user information that they needed to operate. In
fact, the apps could access nearly all of users' personal data – data the
apps didn't need.
* Facebook told users they could restrict sharing of data to limited
audiences – for example with "Friends Only." In fact, selecting "Friends
Only" did not prevent their information from being shared with third-party
applications their friends used.
* Facebook had a "Verified Apps" program & claimed it certified the
security of participating apps. It didn't.
* Facebook promised users that it would not share their personal
information with advertisers. It did.
* Facebook claimed that when users deactivated or deleted their
accounts, their photos and videos would be inaccessible. But Facebook allowed
access to the content, even after users had deactivated or deleted their
* Facebook claimed that it complied with the U.S.- EU Safe Harbor
Framework that governs data transfer between the U.S. and the European Union.
The proposed settlement bars Facebook from making any further deceptive
privacy claims, requires that the company get consumers' approval before it
changes the way it shares their data, and requires that it obtain periodic
assessments of its privacy practices by independent, third-party auditors
for the next 20 years.
Specifically, under the proposed settlement, Facebook is:
* barred from making misrepresentations about the privacy or
security of consumers' personal information;
* required to obtain consumers' affirmative express consent before
enacting changes that override their privacy preferences;
* required to prevent anyone from accessing a user's material no
more than 30 days after the user has deleted his or her account;
* required to establish and maintain a comprehensive privacy program
designed to address privacy risks associated with the development and
management of new and existing products and services, and to protect the
privacy and confidentiality of consumers' information; and
* required, within 180 days, and every two years after that for the
next 20 years, to obtain independent, third-party audits certifying that it
has a privacy program in place that meets or exceeds the requirements of
the FTC order, and to ensure that the privacy of consumers' information is
The proposed order also contains standard record-keeping provisions to
allow the FTC to monitor compliance with its order.
Facebook's privacy practices were the subject of complaints filed with the
FTC by the Electronic Privacy Information Center and a coalition of
The Commission vote to accept the consent agreement package containing the
proposed consent order for public comment was 4-0. The FTC will publish a
description of the consent agreement package in the Federal Register
shortly. The agreement will be subject to public comment for 30 days, beginning
today and continuing through December 30, 2011 after which the Commission
will decide whether to make the proposed consent order final.
ISPLA Director of Government Affairs
Investigative and Security Industry Resource to the Profession,
Government, and the Media
[Non-text portions of this message have been removed]