Facebook Settles FTC Charges About Privacy Policy Changes, Misleading Users

Facebook has reached a settlement with the Federal Trade Commission over charges of deceptive behavior when it changed its privacy settings.

Facebook and the Federal Trade Commission have reached a settlement over charges the social networking giant engaged in deceptive behavior when it changed its users' privacy settings without permission.

The FTC settlement bars the social networking site from making any "further deceptive privacy claims" and requires Facebook to get explicit approval from users before changing how data is shared, the FTC announced Nov. 29. Facebook must provide "clear and prominent notice" before data is shared, and establish a comprehensive privacy program that is subject to a third-party audit within 180 days and every two years for the next 20 years. While Facebook doesn't have to pay any penalities at the moment, it faces fines of up to $16,000 per day for violating the terms, going forward.

This means users are likely to see more announcements and notifications from Facebook regarding privacy issues. The settlement also requires Facebook to offer all changes that could potentially override existing settings as an opt-in decision. This is a dramatic departure for a company that has long been accused of requiring users to opt-out to maintain their privacy.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said FTC Chairman Jon Leibowitz.

The FTC voted to accept the proposed settlement in a 4-0 vote. The agreement is subject to public comment for 30 days, after which the commission would vote to finalize the settlement. The settlement is also a "consent agreement" and does not "constitute an admission by the respondent that the law has been violated," according to the FTC.

Most of the concerns presented to the FTC in this inquiry have long since been resolved satisfactorily, acording to Daniel Castro, senior analyst at the Information Technology and Innovation Foundation. "Rather than impose heavy-handed regulations or engage in expensive and unproductive litigation, policymakers should continue to work in partnership with the private sector to balance privacy with innovation," Castro said.

The FTC charged Facebook after investigating the company in response to a complaint filed by the Electronic Privacy Information Center (EPIC), a Washington-based advocacy group on Dec. 17, 2009. Facebook had changed its default privacy settings in order to provide users with a "simpler model for privacy control," Mark Zuckerberg, Facebook founder and CEO, said at the time. However, EPIC alleged in its complaint that consumers were harmed when it turned out the changes had resulted Facebook's disclosing "personal information to third parties that was previously not available," such as making accessible the profiles of users who had deactivated or deleted their accounts.

Privacy advocates have long insisted that consumer privacy was at risk because companies could change their privacy policies "at a whim," according to Berin Szoka, president of advocacy group TechFreedom. The settlement "makes clear that changes to what a company may do with information already collected require informed user consent," Szoka said.

The FTC listed eight instances where Facebook did opposite of what it promised, such as claiming that it wouldn't share personal information with advertisers or with third-party developers and not retaining data that users had deleted. Facebook also allowed third-party applications to see data that users had shared only with friends. The FTC charged Facebook with not complying with the U.S.-European Union Safe Harbor framework on privacy.

Under the new settlement, Facebook is now required to make all content from a deleted account inaccessible 30 days after the user deletes the account, unlike the current situation where some data can still live on.

Facebook has already addressed some of these complaints, Zuckerberg wrote in a blog post posted on Nov. 29 following the FTC announcement. The company has made a "bunch of mistakes" around user privacy, and since then has rectified those mistakes, such as canceling its Verified Apps program which claimed to verify the security of certain apps, and fixing the problem that gave advertisers access to users' ID numbers, which resulted in user information being shared with third-parties.

"I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done," Zuckerberg wrote. Beacon was a program in which Facebook users' Internet activities were shared with friends.

Zuckerberg also announced that Facebook will be adding two new executives to oversee privacy. Erin Egan has been named chief privacy officer of policy and Michael Richter, the current lead privacy counsel, has been promoted to chief privacy officer of products.

Overall, Facebook has a "good history of providing transparency and control over who can see your information," Zuckerberg said, adding, "we have led the Internet in building tools to give people the ability to see and control what they share."

The new privacy officers weren't enough for Jeff Chester, excutive director at the Center for Digital Democracy. "We call on Mark Zuckerberg and the Facebook board of directors to accept responsibility for this breach of conduct. They should resign and be replaced by officials that have strong pro-privacy credentials," Chester said.

Google agreed to similar audits in March, when it settled FTC charges of falsely representing how it would use personal information as part of now-dead Buzz micro-blogging site