Facebook Settles With the FTC for 20 Years of Privacy Audits
Facebook has agreed to 20 years of privacy audits in response to complaints by the U.S. Federal Trade Commission that it unfairly deceived users about the privacy of their personal information, as was anticipated.
The settlement, which is not particularly punitive and comes years after some of the incidents in question, shames Facebook for promising users that their information was kept private while it was in fact shared with advertisers and outside applications that the users or their friends installed. The decision is not yet final but has already been unanimously passed into a public comment period by the commission.
Facebook’s punishment is in line with what its competitors Twitter and Google have already agreed to: Clearer privacy policies that are audited every two years for the next 20 years.
Facebook is required to get users’ consent before it makes privacy changes and to do specific things like make content from deleted users’ profiles unavailable after 30 days. If it messes any of that up, it will be fined $16,000 per violation per day.
The settlement could mark a shift in the way Facebook releases new products, as it often require users to actively opt out of new offerings if they don’t want to be included.
Facebook CEO Mark Zuckerberg wrote a long blog post today admitting to “a bunch of mistakes” but also asserting that Facebook has been a leader on online privacy.
“Overall, I think we have a good history of providing transparency and control over who can see your information,” he said.
Zuckerberg said he’d also appointed two new Chief Privacy Officers — Erin Egan for policy and Michael Richter for products — to demonstrate a higher commitment to privacy going forward.
Many of the FTC’s complaints date back to changes Facebook had made over the past two years and subsequently addressed after public criticism. Zuckerberg contended that in the meantime Facebook has also proactively improved user privacy with tools like item-by-item privacy controls.
But it has also released new features and tools that have ruffled privacy feathers (and perhaps worse), like the new “frictionless” sharing, and users have discovered other issues such as cookies that, for a time, tracked people even after they logged out of Facebook.
The FTC settlement isn’t a judgment over whether Facebook broke the law. It also doesn’t contend that Facebook knew that it was providing advertisers with user data or that advertisers did anything nefarious with Facebook user data.
Here are the complaints:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
And here are the remedies:
Specifically, under the proposed settlement, Facebook is:
- barred from making misrepresentations about the privacy or security of consumers’ personal information;
- required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
Please see the disclosure about Facebook in my ethics statement.