Skip Page Banner  
Skip Navigation

Facebook Agrees to Overhaul its Customer Information Practices to Settle Charges with the FTC it Violated Customer Privacy

Tuesday, December 6, 2011

John G. Haley | Bloomberg LawIn the Matter of Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011) Facebook, the social networking site with 750 million users, settled with the Federal Trade Commission ("FTC") over charges that it collected, used and granted access to its users' personal information in contravention of its own privacy policies and representations it made about its information practices. The FTC charged that these actions constituted deceptive trade practices in violation of the Federal Trade Commission Act ("FTC Act.") 15 U.S.C. § 45(a)(1). The law makes it illegal to engage in unfair or deceptive acts or practices in or affecting commerce. Facebook entered in an agreement containing a consent order ("Agreement") but did concede any violations of the law or that the facts alleged by the FTC were true.

FTC Complaints About Facebook's Privacy Practices

The FTC noted that since 2004 Facebook has operated www.facebook.com, a social networking website. Users create online profiles with personal information, and upload photos, videos, messages and comments to their profiles. Users' join groups with "friends," and can add the same content to other users' profiles. According to the FTC, Facebook has approximately 750 million users and had revenues in 2009 of approximately $777.2 million, in part generated through third-party advertising. — Collection and Storage of Personal Information The complaint stated that "Facebook has collected extensive 'profile information' about its users," including a users name, gender, e-mail address, and birthday, which are mandatory. Facebook also collects optional information such as personal, educational, work, relationship, political, and various likes and interests. FTC Complaint at 2. Over time Facebook collects information about its users based on their activities on the site, including groups they belong to, their friends, and messages and comments. Facebook gives each user a unique ID number and stores user information on its network. — Facebook Privacy Profile Settings According to the FTC, Facebook provided users with a "Central Privacy Page" informing users that they could "[c]ontrol who can see your profile and related information" and otherwise restrict access to their profile to specified users. Complaint at 5-6. The FTC stated that Facebook did not disclose that
a user's choice to restrict profile information to "Only Friends" or "Friends of Friends" would be ineffective as to certain third parties. Despite this fact, in many instances, Facebook has made profile information that a user chose to restrict to "Only Friends" or "Friends of Friends" accessible to any Platform Applications that the user’s Friends have used.
Id. at 6. The FTC also complained that Facebook "failed to disclose that a user’s choices made through Profile Privacy Settings have been ineffective against" applications that a user's friends had accessed. Id. Specifically, the FTC was concerned that individuals who did not use certain applications would have no reason to restrict personal information available through them, but might be unaware that if their friends used the application, their information could be accessed by others. The FTC charged that Facebook represented that users could restrict access to their profile information but "In truth and in fact, in many instances, users could not restrict access to their profile information to specific groups," and this constituted false or misleading representation. Id. at 6. — Changes to Facebook Privacy Policy In November 2009, Facebook changed its privacy policy to designate certain user information as "publicly available," and implemented the changes in December. Id. at 7. The FTC stated that "Following the December Privacy Changes, Facebook users could no longer restrict access to their Friend List through their Profile Privacy Settings," and "users could no longer restrict the visibility of their Profile Picture and Pages through these settings," and and "all prior user choices to do so were overridden." Id. at 7. The FTC claimed that Facebook did not adequately disclose these changes, which "caused harm to users, including, but not limited to, threats to their health and safety, and unauthorized revelation of their affiliations," because "certain users were subject to the risk of unwelcome contacts from persons who may have been able to infer their locale." Id. at 8. According to the FTC, "each user's Friend List became visible to anyone who viewed the user’s profile, thereby exposing potentially sensitive affiliations, that could, in turn, reveal a user’s political views, sexual orientation, or business relationships, to third parties-such as prospective employers, government organizations, or business competitors." Id. at 9. The FTC complaint alleged that Facebook's failure to disclose changes to its privacy policy was a deceptive and unfair practice in violation of the FTC Act. — Facebook's Use of Targeted Advertising According to the FTC complaint, Facebook allowed advertisers to target their ads by requesting that Facebook disclose to them to users whose profile information reflected certain targeted traits, including location, age, sex, birthday, relationship status, likes and interests, education, and name of their employer. The FTC pointed to numerous instances in which Facebook stated that it did not disclose personal information to advertisers, i.e., "We don’t share information with advertisers without your consent," and "We never share your personal information with advertisers." Complaint at 12. The FTC argued "contrary to the statements" made by Facebook. "in many instances, Facebook has shared information about users with Platform Advertisers by identifying to them the users who clicked on their ads and to whom those ads were targeted." Id. at 13. The FTC also alleged that "when a user visited certain Platform Applications, Facebook disclosed the user’s User ID, in plain text, to any Application Advertiser that displayed an ad on the application’s web page." Id. at 13. With the user ID, an advertiser could get detailed information about the person from their profile page, and combine that with information about a user's visit to an advertiser's website. The FTC claimed that Facebook represented that it did not provide advertisers with information about its users when in fact it did, constituting a false or misleading representation in violation of the FTC Act. — Application Verification Program The FTC claimed that Facebook gave users the impression that it verified the security of Verified Apps, citing these statements on the site:
Application Verification
Facebook is introducing the Application Verification program which is designed to offer extra assurances to help users identify applications they can trust -- applications that are secure, respectful and transparent, and have demonstrated commitment to compliance with Platform policies.
Complaint at 15. Facebook also stated
Applications that choose to participate in Facebook’s Application Verification Program receive a green check mark when they pass Facebook’s detailed review process. The review process is designed to ensure that the application complies with Facebook policies. In addition, Verified applications have committed to be transparent about how they work and will respect you and your friends when they send communication on your behalf.
Id. In spite of its claims, the FTC said, "Facebook took no steps to verify either the security of a Verified Application’s website or the security the Application provided for the user information it collected, beyond such steps as it may have taken regarding any other Platform Application." Id. — Facebook's Disclosure of User Photos and Videos According to the FTC, "Facebook has collected and stored vast quantities of photos and videos that its users upload, including, but not limited to: at least one such photo from approximately ninety-nine percent of its users, and more than 100 million photos and 415,000 videos from its users, collectively, every day."Complaint at 16. While Facebook indicated that users could restrict access to their photos and videos by deactivating their accounts, in fact it continued to display users’ photos and videos even after users deleted or deactivated their accounts, the FTC claimed. The FTC charged this constituted a false or misleading representation. — Certified Compliance with the U.S. - EU Safe Harbor Program According to the FTC, since 2007, Facebook has certified that it complied with all the principles required for compliance with the U.S. - EU Safe Harbor Framework, and stated its compliance in both its online Privacy Policy and declared its self-certification on the U.S. Department of Commerce website. However, the FTC claimed that "in many instances" Facebook did not in fact give users adequate notice and choice, as required by Safe Harbor, and this constituted an unfair or deceptive trade practice in violation of the FTC Act.

FTC Settle Agreement With Facebook

Under its Agreement with the FTC, Facebook agreed not to misrepresent its information privacy or security policies, including its collection or disclosure of any covered information; whether it discloses information to third parties; its verification of third-party privacy and security policies; if consumers can control the privacy of their information; and whether it participates in any privacy, security, or any other compliance program sponsored by the government or any third party, including the U.S.-EU Safe Harbor Framework. Under the agreement, Facebook must take certain steps before sharing of a user's nonpublic user information which materially exceeds the restrictions imposed by a user's privacy settings, including obtaining the user's affirmative consent. Facebook also must clearly and prominently disclose, separate and apart from any privacy policy, statement of rights and responsibilities other document or policy, (1) the categories of nonpublic user information that will be disclosed to third parties, (2) the identity or specific categories of such third parties, and (3) that such sharing exceeds the restrictions of the user's privacy settings. The agreement does not require Facebook require to obtain a user's prior express consent for before sharing nonpublic information initiated by another user authorized to access such information, as long as it does not materially exceed the restrictions imposed by a user’s privacy settings. — Security Policies Facebook must implement procedures reasonably designed to ensure that covered information cannot be accessed from Facebook servers by any third party except as required by law or where necessary to protect the Facebook website or its users from fraud or illegal activity. Facebook is not required to restrict access to any copy of a user’s covered information that has been posted to Facebook’s websites or services by a user other than the user who deleted such information or deleted or terminated such account. — Comprehensive Privacy Program Under the consent order, Facebook must implement a comprehensive privacy program. The program must be reasonably designed to address privacy risks related to the development and management of new and existing products and services for consumers, and protect the privacy and confidentiality of covered information. The privacy program must be in writing and contain controls and procedures appropriate to size, complexity, the nature and scope of Facebook, and the sensitivity of the personal information collected. Under the comprehensive program Facebook must also:
  • Designate employees to coordinate and be responsible for the privacy program;
  • Identify reasonably foreseeable material risks, both internal and external, that could result in the unauthorized collection, use, or disclosure of covered information;
  • Assess the sufficiency of any safeguards in place to control material risks through a privacy risk assessment. It must consider risks in areas such as employee training and management, product design, development, and research;
  • Design and implement reasonable controls and procedures to address the risks identified through the risk assessment, and conduct regular testing or monitoring of the effectiveness of those controls and procedures;
  • Use reasonable steps to ensure service providers are capable of protecting the privacy of user information, and require service providers, by contract, to implement and maintain appropriate privacy protections; and
  • Evaluate and adjust Facebook’s privacy program in light of the results of the testing and monitoring required by the settlement with the FTC, any material changes to Facebook’s operations or business arrangements, or any other circumstances that Facebook knows or has reason to know may have a material impact on the effectiveness of its privacy program.
— Privacy Audits Facebook must obtain biennial privacy assessments and reports ("Assessments") from a qualified, objective, independent third-party professional who uses procedures and standards generally accepted in the profession, with a minimum of three years of experience in the field of privacy and data protection. The assessments must be conducted every two years for 20 years. The Assessments must:
  • Set forth the specific privacy controls that Facebook has implemented and maintained during the reporting period;
  • Explain how such privacy controls are appropriate for Facebook, its users and the sensitivity of the covered information;
  • Explain how the privacy controls that have been implemented meet or exceed the protections required by the agreement with the FTC; and
  • Certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.
The Consent Order terminates in twenty years, or twenty years after the FTC files a complaint in federal court alleging any violation of the order, whichever comes later. DisclaimerThis document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. The Bureau of National Affairs, Inc. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.©2014 The Bureau of National Affairs, Inc. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of The Bureau of National Affairs, Inc.

To view additional stories from Bloomberg Law® request a demo now