FTC bars Facebook from using deceptive privacy practices

November 29th, 2011

Facebook on Tuesday agreed to a Federal Trade Commission consent order barring the company from deceiving consumers about its privacy practices. The order also requires Facebook  to submit to monitoring for 20 years.

The sanctions stem from privacy setting changes Facebook made in December 2009, without asking users’ permission.

The company told users they could keep full control of who could access their content on Facebook when, in fact, the company repeatedly allowed information to be shared and made public, as outlined in the FTC’s 19-page complaint.

The order is expected to give technologists and privacy advocates a new, more effective tool to monitor Facebook’s privacy practices, says Jeff Chester, executive director of the non-profit Center for Digital Democracy.

“We will have to come in and show how Timeline and the ever expanding data targeting practices violate the order,” says Chester. “This order does put the burden on privacy groups to make any safeguards stick. We have a chance to force the company to change the way it does business. ”

Bono Mack

And Federal lawmakers focusing on privacy issues will also be closely monitoring the aftermath of the FTC’s order, says Rep. Mary Bono Mack, R-Calif.

“In many ways this settlement clearly demonstrates that the privacy debate in Washington remains unresolved,” says Bono Mack. “Privacy policies should be transparent and understandable to everyone, and consumers should have an easy-to-understand way to opt out of sharing information, if they choose to do so.”

Facebook CEO Mark Zuckerberg insisted in a blog posting that the company has “a good history of providing transparency and control over who can see your information,” but admitted that “we’ve made a bunch of mistakes.”

IPO, Do Not Track form backdrop

The FTC’s sanction comes as Facebook readies itself for a high-profile initial public offering of stock, expected next spring. Today, co-incidentally on the same day the FTC’s sanction was announced, the Wall Street Journal reported Facebook’s IPO may ring in at $10 billion.

Meanwhile, the company has come under rising criticism in the U.S. and Europe for using Like buttons embedded on millions of websites to monitor Web surfing.

Facebook compiles tracking logs of the webpages viewed by each of its 800 million members, and millions more non-members, the company recently  disclosed in exclusive USA TODAY interviews.

Rockefeller

New federal laws are needed to help consumers “protect their personal information from companies surreptitiously collecting and using that personal information for profit,” says Sen. Jay Rockefeller, D-W. Virg, sponsor of a Do Not Track law that would restrict online tracking.

Rockefeller commended the FTC’s action. “Consumer privacy is a right, not a luxury,” he says. “This action against Facebook is just the first step toward protecting consumer privacy.”

Jules Polonetsky, Director and Co-Chair, Future of Privacy Forum, noted that the FTC order sends a message to other Internet-based companies the they need to get express consent from consumers to alter privacy practices.

“And if you are a custodian of user data, you need to have a formal program in place that ensures that data use and product development are overseen by privacy staff,” says Polonetsky. “These are guidelines that any company that interacts with consumer data would be wise to consider baseline requirements.”

What Facebook shall do

Included in the  8-counts of unfair and deceptive practices outlined in the FTC’s  complaint are charges that Facebook improperly disclosed information to advertisers and continued to display photos and videos even after they accounts were deactivated. The consent order, which must be approved by a judge, requires Facebook to:

  • Obtain express consent before overriding users’ privacy preferences.
  • Cut off access to a user’s material within 30 days after deletion of an account.
  • Establish a comprehensive privacy program covering new and existing products and services.
  • Submit to privacy program audits within 180 days and every two years after than for the next 20 years. Monitoring would be handled by an independent professional yet to be named.

Even after the consent order takes effect, Facebook users may not notice anything different. It’s not clear how the FTC’s order could affect Facebooks plans for new services, including “Timeline” pages that digitally map everything a user has ever done on the popular social network, and “Open Graph” applications designed to broadcast a  user’s surfing patterns widely across Facebook.

Chris Conley, a tech and civil liberties attorney at the ACLU’S Northern California affiliate, notes that Facebook’s privacy settings make no reference to Like button tracking.

“There’s no setting for a user to control that,” says Conley. “It’s questionable if something that doesn’t have a privacy setting today is covered by the FTC’s settlement proposal, or how the FTC would respond if Facebook started using this data in unexpected ways.”

A call for opt-in

Marc Rotenberg, executive director of the non profit Electronic Privacy Information Center, noted that the FTC stopped short of ordering Facebook to restore the more rigorous privacy settings that were in effect prior to December 2009.

EPIC and nine other groups filed the complaint that triggered the FTC probe. “If it was unfair to change the privacy settings, then the right response would be to change the settings back,” Rotenberg says.

Steyer

James P. Steyer, CEO of Common Sense Media, added: “It’s incredibly encouraging to see an industry leader like Facebook held to a higher standard of privacy protections. It’s our hope that this decision and its focus on the necessity of opt-in will lead other companies to follow suit. Until large tech companies start listening to the public, this kind of action from the FTC is critical. Government regulation and leadership is essential in order to help protect our privacy – and that of our kids – online.”

A poll by Common Sense Media conducted late last year found 75 percent of parents do not believe social networks were doing enough to keep their kids safe online.

Says Steyer: “With more than 7.5 million kids on Facebook, and even more using digital devices like smartphones and tablet computers, it’s imperative that other leaders in this industry hear the FTC’s message loud and clear: the concept of privacy is definitely not dead – especially for parents – and opt-in must become the standard all other companies employ.”

– By Byron Acohido