[x-posted at Stanford Cyberlaw blog]
Earlier today the FTC released the proposed settlement agreement it reached with Facebook.
When it comes to online-privacy investigations, 2011 has been a busy year for the FTC. The FTC has settled landmark cases with other tech giants, including Google and Twitter. These efforts weren’t exactly unexpected. Ever since David Vladeck was named head of the Consumer Protection Bureau, the agency has insisted that tech companies do more to protect consumer privacy than post lengthy, unreadable privacy policies. With various data privacy bills making their way through Congress, several agency white papers and reports expected, and increased public awareness of online privacy, it is not surprising that the FTC would investigate Facebook. After all, Facebook has been in the center of several high-profile privacy controversies in the past two years.
The FTC’s action arose from several high profile issues. First, the FTC accused Facebook of having “deceptive privacy settings” regarding Apps in 2009. These settings were alleged to misrepresent users’ ability to block third parties from accessing their data. Facebook App companies could access information not only from the user who downloaded the App, but also from that user’s friends, often without the friends’ knowledge or permission.
Third, the FTC charged Facebook with sharing user information with advertisers after promising not to do so. This prompted several privacy groups to file a complaint with the FTC in late 2009.
In the settlement, Facebook made no admission of guilt but agreed to a comprehensive privacy program to focus on privacy risks that develop as a result of future Facebook developments and to ensure the protection of user data. This program will be subject to third-party evaluations every two years for up to 20 years. The evaluations will examine Facebook’s measures to safeguard user privacy and the measures’ effectiveness.
Further, Facebook is required to inform users and obtain their consent for any sharing of information that “materially exceeds” the user’s existing privacy settings. Also, Facebook must develop of procedures to ensure deleted data or data from deactivated accounts cannot be accessed by third parties.
Readers will note similarities with previous settlements. Both Twitter and Google also have comprehensive programs for 20 years, with evaluations every two years. Together, these three companies will likely have no choice but to become privacy leaders. Others in the market already look to the largest companies to determine the “best-practices” in privacy. Start-ups appear to cut and paste privacy policies from these companies, in determining their own.
Now that these companies’ practices are also subject to FTC consent orders, their practices may increasingly take on the stature of “government blessed” best practices, perhaps even safe harbors. It’s too early to tell. But we’ll find out over the next 20 years.