Facebook settles privacy complaints with US regulator

December 5, 2011 |

Facebook Inc has entered into a consent order regarding its privacy practices and settings.  It is found here.

Pursuant to the agreement (which contains the order) Facebook will have to obtain “affirmative express consent” from its users before imposing material changes to their privacy settings.

The order provides:

“[Facebook] shall clearly and prominently disclose to the user, separate and apart from any ‘privacy policy,’ ‘data use policy,’ ‘statement of rights and responsibilities’ page, or other similar document: the categories of nonpublic user information that will be disclosed to such third parties, the identity or specific categories of such third parties, and that such sharing exceeds the restrictions imposed by the privacy setting(s) in effect for the user; and obtain the user’s affirmative express consent.”

Facebook is barred from misrepresenting “the extent to which it maintains the privacy or security” of “information from or about an individual consumer”, such as users’ names, addresses, photos and location. Facebook will also have to “establish and maintain a comprehensive privacy program” that will help it flag up and address privacy risks associated with any new innovations and protect the privacy of users’ information.

Facebook will have to undergo compulsory bi-annual privacy audits for the next 20 years and cut off third party access to user accounts within 30 days of them being deleted, unless access is required by law or is necessary to protect the Facebook website or its users from fraud or illegal activity..

The measures are open to public comment until 30 December after which the FTC will decide whether to formally accept them.

Facebook made users’ private information public without warning and without approval, the FTC said. The social network also shared users’ personal data with advertisers despite saying it would not and allowed third-party apps access to more user data than was needed in order to operate, the regulator said. The FTC regarded Facebook’s claim that it could certify the security of verified apps was false and it did not prevent third-party apps used by users’ friends from accessing data users would share with those people, despite telling them the data would be shared with ‘friends only’.  It also said Facebook  wrongly claimed that it shut off access to photos and videos on deactivated or deleted accounts and that it complied with US-EU Safe Harbor rules on the transfer of data.

There is a different take on this issue with a recent article by Slate, It’s Not All Facebook’s Fault, You’re as much to blame for the site’s privacy woes as Mark Zuckerberg.  As far as the law is concerned has no weight.  But an interesting perspective.  Individual responsibility has to be stressed to the Facebook generation.

Leave a Reply