Social networking website operator Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing the information to be shared and made public, the FTC announced today.
The proposed settlement requires Facebook to take steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said FTC Chairman Jon Leibowitz. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."
According to the FTC:
• Facebook changed its website so certain information that users may have designated as private was made public, without warning users of the change or getting their approval.
• Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data, including data the apps didn't need.
• Facebook told users they could restrict sharing of data to limited audiences—for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party apps their friends used.
• Facebook falsely claimed that it certified the security of participating apps, that it would not share users’ personal information with advertisers, and that it complied with the U.S.-EU Safe Harbor Framework for international data transfers.
• Contrary to promises made to users, Facebook continued to allow access to photos and videos posted by users, even after the users had deactivated or deleted their accounts.
The proposed settlement bars Facebook from making further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that Facebook obtain periodic assessments of its privacy and data protection practices by independent, third-party auditors for the next 20 years.
Facebook also would be required to prevent anyone from accessing a user's material later than 30 days after the user has deleted his or her account.
The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0.
The agreement will be subject to public comment through December 30, 2011, after which the Commission will decide whether to make the proposed consent order final.
More information on the proposed settlement in In the Matter of Facebook, Inc., File No. 092 3184, is available here on the FTC’s website.