Report: Facebook to Settle FTC Case by Making Privacy Changes Opt-In

Facebook is close to settling charges by the Federal Trade Commission that it deceived users about privacy changes, The Wall Street Journal reports. The settlement would “require Facebook to obtain ‘express affirmative consent’ when it makes ‘material retroactive changes'” to private user data. In other words, sharing-related privacy changes will now be up to users to opt into — Facebook won’t be able to force people to either make more data available, or have to “opt out” of using Facebook.

The specific issue is that Facebook changed its privacy policies in late 2009, forcing all users to make some information public that it had previously said would not be made public. Until that point, Facebook’s policy had said that “you choose what information you put in your profile, including contact and personal information, pictures, interests and groups you join. And you control the users with whom you share that information through the privacy settings on the Privacy page.”

That November, it announced that some of this information — profile name, profile picture, list of friends, current city, gender, networks, and Pages — would be made public as part of a privacy policy change. And it was, that December, causing an outcry among some users and privacy advocates, and getting the FTC’s attention.

While both the November policy change and December product update stated what the changes were, many users still didn’t comprehend what was going on — especially because Facebook had not previously told them to expect such changes. Further issues, like Facebook making all Liked Pages public in April of 2010, or more recently offering a face-targeting service, have added to the perception among some that Facebook is not prioritizing privacy.

The settlement, which Facebook isn’t commenting on right now, appears to create new limits around what Facebook might launch in the future. It would be precluded from doing anything like that December 2009 product change, for example. In addition, Facebook will be subject to independent privacy audits for the next 20 years, although it’s currently unclear who the auditors would be or how they would hold Facebook accountable.

Facebook’s side of this story is that it has needed to revisit out the right balance of public/private as its service has evolved, and as cultural expectations around privacy have changed. When the company first launched on college campuses, the whole point was to offer a private community. Today, some use the site for sharing content more publicly.

If the FTC had acted earlier, maybe it would have precluded Facebook from creating more value for users (a key risk that the company created for itself due to its decisions). For example, if some large portion of users had chosen not to make their profile photos and names public, Facebook’s social plugins would be able to show significantly less relevant social information to other users.

But at this point, Facebook appears to have gotten its main privacy changes completed, and we’re left wondering what the FTC will have left to enforce.