Facebook Settles Federal Trade Commission Charges That It Tricked Users on Privacy Settings

The Federal Trade Commission announced a settlement with Facebook this morning over charges that the social network deceived users by failing to honor privacy agreements.

Under the agreement, Facebook:

  • cannot misrepresent the privacy or security of users personal information;
  • must get user consent before releasing changes that override existing privacy settings;
  • must prevent people from accessing a user’s material no more than 30 days after that user has deleted their account;
  • has to establish and maintain a privacy program that addresses risks that come with “the development and management” of products and services and that protects the privacy of user’s information;
  • and — within 180 days and every two years afterward for the next 20 — must seek out third-party audits verifying that the privacy program is in place and that it satisfies the FTC’s order.

The agreement comes nearly two years after the American Civil Liberties Union and the Electronic Frontier Foundation raised concerns over Facebook’s 2009 changes to its privacy settings that exposed personal information — namely profile name, profile picture, list of friends, current city, gender, networks, and Pages — to a larger audience than the social network previously allowed. Earlier in 2011, it was reported that Facebook would settle with the FTC over charges that these changes deceived users and violated their privacy — making any changes that retroactively expose user data an opt-in instead of a mandatory change.

At this point, Facebook would have to take pretty intentional steps against the terms of the agreement to cause the FTC to pursue action against it again. In the last year alone, Facebook has also added or changed many features that affect privacy in ways that address the FTC’s complaint — like protecting user IDs from falling into the wrong hands.

In a Facebook response post to the agreement, Mark Zuckerberg says that he feels the platform has a positive track record for providing transparency and control over privacy settings.

“That said,” his post reads, “I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done. I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service.  Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It’s important for people to think about this, and not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.”

Zuckerberg also announced that Erin Egan will become Chief Privacy Officer, Policy and that Michael Richter will become Chief Privacy Officer, Products.

During a media call in session with the FTC, Chairman Jon Leibowitz, Bureau of Consumer Protection Deputy Director Jessica Rich, Division of Privacy and Identity Protection Associate Director Maneesha Mithal, and Division of Privacy and Identity Protection Staff Attorney Laura Berger explained carefully that the settlement does not count as a ruling that Facebook violated the law in changing its privacy settings or that it knowingly shared private user data with advertisers. They also stressed that, while this order is very broad, it prohibits any deception about privacy in the future whenever Facebook introduces changes or updates.