Social Network Service Facebook Settles FTC Charges over Privacy Practices

According to a news release on the Federal Trade Commission (FTC) website, social network service Facebook has agreed to settle FTC charges of failing to keep promises of privacy after the company “deceived consumers by telling them they could keep their information on Facebook private and then repeatedly allowing it to be shared and made public.” The FTC’s eight-count complaint against Facebook – part of the agency’s ongoing effort to ensure companies live up to the privacy promises they make to American consumers – charged that the claims that Facebook made “were unfair and deceptive and thus violated federal law.”

The FTC complaint against Facebook – available at http://www.ftc.gov/os/caselist/0923184/111129facebookcmpt.pdf – listed a number of instances in which Facebook allegedly made promises that it did not keep:

• Facebook changed its website in December 2009 without warning users or getting their approval in advance so information some users designated as private – such as their Friends List – was made public.
• Facebook represented that third-party applications (“apps”) installed by users would only have access to user information they needed to operate when, in fact, the apps could access nearly all of the personal data of users.
• Facebook told users they could restrict sharing of data to limited audiences such as “Friends Only” when, in fact, selecting “Friends Only” did not prevent information from being shared with third-party apps used by friends.
• Facebook claimed its “Verified Apps” program certified the security of participating apps when it did not.
• Facebook promised users that it would not share their personal information with advertisers but it did.
• Facebook claimed that photos and videos of users who deactivated or deleted their accounts would be inaccessible but they remained accessible.
• Facebook claimed it complied with the United States – European Union (EU) Safe Harbor Framework that governs data transfer between the U.S. and EU but it did not.

As part of the proposed settlement, Facebook – the world’s largest online community with an estimated 800 million active users worldwide –  is required to take several steps to make sure the company keeps the privacy promises it makes to hundreds of millions of users in the future, including giving users clear and prominent notice and obtaining the express consent of users before their information is shared beyond the privacy settings they have established. More specifically, under the proposed settlement, Facebook is:

• Barred from making misrepresentations about the privacy or security of the personal information of consumers;
• Required to prevent anyone from accessing a user’s material more than thirty (30) days after the user has deleted his or her account;
• Required to establish and maintain a comprehensive privacy program designed to address privacy risks and to protect the privacy and confidentiality of consumers’ information; and
• Required to obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years to ensure that the privacy of consumers’ information is protected.

The Federal Trade Commission – the federal agency that works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them – will monitor compliance with its order under standard record keeping provisions contained in the proposed order.

In a November 29, 2011 post on The Facebook Blog, Facebook’s founder and CEO Mark Zuckerberg wrote that while overall the company had “a good history of providing transparency and control over who can see your information” he admitted that “a small number of high profile mistakes” such as “poor execution as we transitioned our privacy model two years ago” may have overshadowed much of the social network’s good work. He also wrote in depth about the issues concerning the privacy of personal information online:

I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service.  Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It’s important for people to think about this, and not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.
Facebook has always been committed to being transparent about the information you have stored with us – and we have led the internet in building tools to give people the ability to see and control what they share. 

But we can also always do better. I’m committed to making Facebook the leader in transparency and control around privacy.

As we have grown, we have tried our best to listen closely to the people who use Facebook. We also work with regulators, advocates and experts to inform our privacy practices and policies. Recently, the US Federal Trade Commission established agreements with Google and Twitter that are helping to shape new privacy standards for our industry. Today, the FTC announced a similar agreement with Facebook. These agreements create a framework for how companies should approach privacy in the United States and around the world.

Later on in his post, Zuckerberg addressed specific FTC charges relating to Facebook:

Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised. For example, their complaint to us mentioned our Verified Apps Program, which we canceled almost two years ago in December 2009. The same complaint also mentions cases where advertisers inadvertently received the ID numbers of some users in referrer URLs. We fixed that problem over a year ago in May 2010.

In addition to these product changes, the FTC also recommended improvements to our internal processes. We’ve embraced these ideas, too, by agreeing to improve and formalize the way we do privacy review as part of our ongoing product development process. As part of this, we will establish a biannual independent audit of our privacy practices to ensure we’re living up to the commitments we make.


Regarding the settlement with the FTC, Zuckerberg wrote that he looked forward “to working with the Commission as we implement this agreement” which he hoped would make clear that “Facebook is the leader when it comes to offering people control over the information they share online.” The post is available at https://blog.facebook.com/blog.php?post=10150378701937131.