Facebook recently agreed to settle charges by the Federal Trade Commission (FTC) that Facebook violated the FTC Act. The FTC-Facebook settlement, which is still subject to final FTC approval, prohibits Facebook from making misrepresentations about the privacy or security of its users’ personal information, requires Facebook to obtain users’ affirmative consent before enacting changes that override the users’ privacy preferences, and requires Facebook to prevent anyone from accessing material posted by a user more than 30 days after such user deleted his or her account. Similar to the March 2011 FTC-Google settlement, the Facebook settlement requires that Facebook enact a comprehensive privacy program and not misrepresent its compliance with the US-EU Safe Harbor Principles. As we previously reported, these two requirements are relatively new FTC settlement terms, which were first used in March 2011.

Indeed, the Facebook settlement signals that the FTC is likely to continue requiring comprehensive privacy programs and enforcing the US-EU Safe Harbor Principles in a substantive manner, two things that the FTC had not done before March 2011. Such enforcement is no surprise, given that the FTC has advocated a “privacy by design” approach since at least December 2010. Specifically, the FTC’s proposed settlement requires Facebook to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.”

In addition, the settlement also requires Facebook, before sharing a user’s nonpublic personal information with a third party in excess of the user’s privacy settings, to “clearly and prominently disclose” (outside of the Facebook privacy policy or other boilerplate) the categories of nonpublic user information that will be disclosed, the identity or specific categories of such third parties, and that such sharing exceeds the restrictions imposed by the users’ privacy settings. Importantly, Facebook must also obtain a user’s affirmative express consent before sharing the user data in the new circumstance. The settlement also imposes a requirement for Facebook to retain an independent third party to biennially assess its privacy practices vis a vis the settlement terms for the next twenty years.

The FTC’s eight-count Complaint that underlies the settlement alleges that numerous Facebook initiatives violated prior representations about the extent to which users’ information was accessible by third parties. For instance, the FTC alleged that Facebook, despite allowing users to restrict access to profile information to specific individuals or groups of people, permitted users’ information to be accessed by third-party applications on the Facebook platform which the users’ friends used. The FTC also alleged that in December 2009, Facebook made public certain information that users had previously designated private and failed to disclose that users could no longer restrict access to certain information or that their existing choices would be overridden.

The FTC also alleged that Facebook’s December 2009 changes were both deceptive (because Facebook failed to adequately disclose the changes) and unfair (because Facebook retroactively applied the changes to personal information that it had previously collected from users, without their informed consent).

According to the FTC, Facebook’s conduct harmed consumers because the alleged violations:

·          Made certain users “subject to the risk of unwelcome contacts;”

·          Exposed “potentially controversial political views or other sensitive information to third parties;”

·          Exposed the user’s list of friends to third parties, “thereby exposing potentially sensitive affiliations;” and

·          Revealed “potentially embarrassing or political images to third parties.”

The FTC’s complaint also alleged other privacy violations by Facebook, including the following:

·          Facebook permitted apps on its platform to access more personal information about the app’s user than was necessary for the app’s purpose

·          Facebook permitted apps to access personal information about a user’s friends even if the friends never granted the app authorization to access their personal information

·          Facebook’s advertising program shared identifiable information with advertisers, contrary to representations it had made to its users

·          A little-used “Facebook Verified App” badge, whereby Facebook, for a fee, would “verify the security of Verified Apps” was deceptive because Facebook did no more to verify applications bearing that badge than it did with any other platform application

·          Facebook retained and continued to make accessible users’ photos and videos, even after users deleted or deactivated their accounts, contrary to Facebook’s prior representations

·          Facebook falsely certified that it had complied with the US-EU Safe Harbor Principles, particularly, the principles of Notice and Choice, when it was not in compliance with them

In settling the FTC’s charges, Facebook did not admit the truth of any of the FTC’s substantive or factual allegations, aside from jurisdictional ones.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up. Any changes to a website or application should respect users’ prior privacy choices and obtain a users’ affirmative consent before altering or overriding those prior choices. The requirement that Facebook enact a comprehensive privacy program (e.g., “privacy-by-design”) – a settlement term that the FTC first included in Google’s March 2011 settlement—demonstrates that this requirement will likely be a staple of future privacy-related settlements. The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.