Facebook Settles Deceptive Privacy Practice Claims With FTC

Facebook “didn’t obtain consumer consent,” Leibowitz told reporters during a teleconference. The company also made personal information available through applications used by users’ “friends” and it “designed its platform in a way that allowed advertisers to get information about users,” he said. The settlement ensures that this should never happen again, he said: It signals that the FTC “will use every tool at our disposal … to make sure every company treats consumer privacy with care and respect.”

The complaint identified eight counts of privacy violations. It alleged that conduct related to sharing information with advertisers occurred from September 2008 to May 2010. Information about users was shared when users clicked on ads on Facebook, said Laura Berger, attorney in the privacy and identity protection division. Because advertisers could identify the user, they “would have the ability to combine that identifying information with other facts about the user.” Some of the violations “were going on for quite some time,” and they have stopped, Leibowitz said. The order is broad and prohibits any kind of deception, including incidents that aren’t specifically addressed in the complaint, they added.

Facebook CEO Mark Zuckerberg admitted the company “made a bunch of mistakes.” In particular, “I think that a small number of high profile mistakes … have often overshadowed much of the good work we've done,” he said in a blog post. Before the FTC agreement was reached, “Facebook had already proactively addressed many of the concerns the FTC raised.” Zuckerberg also announced Tuesday that he created two chief privacy officer positions to deal with Facebook’s privacy practices concerning products and how it works with policymakers and privacy groups.

Under the settlement, Facebook was ordered to implement a comprehensive privacy program to address the violations and do audits of its privacy controls every two years for the next 20 years. The privacy program must “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information,” the order said. No fines were issued because the FTC doesn’t have the authority to do so, Leibowitz said. But if Facebook violates the settlement, it will be subject to a penalty of $16,000 per violation per day, he said. Leibowitz said the majority of the commission “would like to see greater fining authority, but that’s a matter for Congress."

The settlement drew praise from tech leaders on Capitol Hill, but also whet their appetites for further action on privacy. “This settlement will help ensure that companies keep their promises to consumers and give those consumers a real voice in how their information is used, distributed and managed,” said Senate Communications Subcommittee Chairman John Kerry, D-Mass. “It reinforces the principle that data collectors should not hold consumer information hostage, especially after a user has terminated the service,” and is consistent with Kerry’s Consumer Privacy Bill of Rights legislation, he said. Kerry and bill cosponsor Sen. John McCain, R-Ariz., recently asked the FTC and Commerce Department to hurry up and issue their final reports on consumer privacy protections (WID Nov 9 p3).

Rep. Anna Eshoo, D-Calif., emphasized the good will shown by Facebook, which is located in her Palo Alto district, in the settlement. “By making important and positive improvements to its approach to protecting user privacy, Facebook has made a commitment that it will put consumers first,” said Eshoo, ranking member of the House Communications Subcommittee. “The use of personal data by any company must be transparent and secure."

Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., said the settlement wouldn’t stop him from pushing for privacy legislation to protect consumers “from companies surreptitiously collecting and using” their personal information. He said the settlement simply binds Facebook to “end deceptive practices and undergo rigorous oversight,” and is “just the first step” in a privacy overhaul. “It’s unacceptable for any company, including Facebook, to change customer privacy settings without their knowledge or consent, especially a company with 800 million users,” Rockefeller said.

The settlement raises as many questions as it answers, said Rep. Mary Bono Mack, R-Calif., chair of the House Manufacturing Subcommittee, which is considering privacy legislation. “Are companies following through on what they tell consumers? Are consumers really in charge when told they're in charge? And what’s the line between what information is okay to collect -- and more importantly share -- and what’s not?” she asked. The subcommittee will continue its hearings on privacy and “debate the need” for legislation “in the months ahead,” she said.

"Today’s settlement should not be the end” of Facebook’s efforts to give users control over their information, said Congressional Privacy Caucus Co-chairman Rep. Ed Markey, D-Mass., and Facebook’s policy should be “ask for permission, don’t assume it.” Citing his recent letter to Facebook inquiring about its patent application for tracking users after they leave the site (WID Nov 14 p4), Markey said, “We need to know more about Facebook’s current and future plans” for gathering user information. The settlement’s privacy protections “should serve as a new, higher standard” for other companies, he said. Caucus Co-chairman Rep. Joe Barton, R-Texas, said the FTC and Facebook are “both making a strong statement today” that “consumer privacy matters.” Barton said he was “disappointed” when Facebook made user profiles public by default (WID April 28/10 p9), and thanked the FTC for giving “much needed attention” to the company’s practices and policies.

The settlement mostly resolves Facebook’s earlier privacy changes that it addressed on its own, said Jules Polonetsky, director and co-chair of the Future of Privacy Forum. He thanked the FTC for being flexible, giving Facebook the option to seek modification to the settlement if it devises “some new form of sharing that is useful to consumers.” The settlement creates what any company should consider its “baseline requirements” for privacy -- securing “express consent” from users before exposing their information more publicly, and implementing a “formal program” that has “privacy staff” overseeing data use and product development, said Polonetsky, former chief privacy officer at AOL.

The FTC approach to building a “common law of privacy” is preferable to Congress trying to craft “comprehensive baseline privacy” legislation in the “European model,” said Berin Szoka, president of TechFreedom. “Case-by-case adjudication” such as the Facebook settlement “is a venerable American tradition,” and especially relevant to consumer privacy issues, he said: “Rather than rushing to write new laws,” Congress should give the FTC more resources to use its authority effectively, which should include “having a larger core of technologists on staff.” Information Technology and Innovation Foundation Senior Analyst Daniel Castro agreed that the FTC action shows the U.S. has a “healthy self-regulatory privacy system” that is more effective than “heavy-handed regulations” or “expensive and unproductive litigation.” Facebook has a “consistent track record” of responding to user and regulator privacy concern, he said.