Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

For those who haven’t been paying attention (or who haven’t logged on to Facebook lately), Facebook’s 350 million users are being asked to refine their privacy settings with a new software tool that allows users to dictate who has access to each category of content the user uploads to the website. Critics have slammed the updated privacy settings in large part because of certain personal information that is deemed public to all Facebook members: your name, city, gender, photograph, your lists of friends and “fan” pages, and networks to which you belong. Facebook is also being criticized for the default privacy settings, which would allow a user’s status updates and other content to be shared with anyone on the internet.  On December 17, 2009, the Electronic Privacy Information Center ("E.P.I.C."), joined by nine other privacy and consumer organizations, filed a complaint with the Federal Trade Commission asking for an investigation into these changes, which the complaint describes as "unfair and deceptive trade practices."

Lost amid this public outcry is Facebook’s recent move to a more user-friendly privacy policy. To comply with California’s Online Privacy Protection Act, operators of websites or online services that gather “personally identifying information” must conspicuously post their privacy policies online. This policy must (1) identify the personally identifying information the site or service collects and with whom it shares that information, (2) describe any available process by which a user may review and/or request changes to the personally identifiable information collected, (3) describe the process by which the site or service notifies users of material changes to its privacy policy, and (4) identify the policy’s effective date.

The problem with most privacy policies designed to comply with California’s law is that, generally speaking, privacy policies are dense and full of legalese. In the context of the federal Gramm-Leach-Bliley Act (“GLBA”), regulators have recognized that hard to read privacy policies are not helpful to consumers, and have taken steps to encourage more user-friendly privacy policies. (See our November 20 post regarding GLBA privacy notices here.) Facebook has responded to these concerns by adopting a completely rewritten privacy policy designed to make its policy more accessible and easier to understand.

For example, Facebook’s new policy includes a bullet point summary of key points at the beginning of the policy followed by section headings that allow users to jump to particular areas of the policy. Complex legal terms have been replaced throughout the policy by more basic language, with hyperlinks to pages containing more detail on key terms or issues. On Facebook’s company blog post detailing the new policy (available here), the company commits to adding additional definitions of key terms, screen shots of important pages, and “learn more” video content.

It isn’t hyperbole to say that Facebook’s privacy policies are subject to more public critique and impassioned criticism than any other in history. Regardless of your position on Facebook’s new default privacy settings, Facebook’s revised privacy policy is a step towards providing its users with clarity regarding how the information its users share is gathered and used. More importantly, the move toward a simpler online privacy policy is likely a sign of things to come in the Internet business community.

Under the amended e-Privacy Directive, Web sites may only place cookies if the user has consented, after having been provided with clear and comprehensive information about the purpose of the cookie.  The amended directive provides an exception to the consent requirement if the cookie is “strictly necessary” in order for the Web site to provide a service specifically requested by the user.  While this exception is mildly helpful, it would not apply to most uses of cookies.

A recital (see recital 66) that prefaces the directive suggests that “where it is technically possible and effective,” consent may be expressed by using the appropriate settings of a Web browser or other application.  However, it is unclear whether user consent can be obtained this way when the default Web browser setting is to accept cookies, as is the case with most Web browser software on the market. 

Furthermore, due to the European law’s definition of “personal information,” the EU’s new rule even applies to cookies that do not collect a user’s name or contact information, on the grounds that anonymous cookies still enable a Web site to recognize a user who has been to the site before.

While this amendment leaves European companies in a state of alarm, it also leaves non-EU companies in a state of quandary.  The EU (specifically, the Article 29 Working Party) consistently has taken the position that its personal data directive (an older sibling of the e-Privacy Directive) applies to wholly non-EU Web sites that place cookies on computers which are located in Europe.  If the e-Privacy Directive also applies to all Web sites that drop cookies, the global impact of these amendments essentially requires every Web site to change its practices in about 18 months, which is the deadline by which European Member States must implement the e-Privacy Directive’s amendments.