Federal Trade Commission resolves Facebook Privacy issues with a settlement

August 11, 2012 |

The Federal Trade Commission has announced a settlement with Facebook regarding its policies on sharing information beyond the established privacy settings.

The announcement (found here) provides:

Facebook Must Obtain Consumers’ Consent Before Sharing Their Information Beyond Established Privacy Settings

Following a public comment period, the FTC has accepted as final a settlement with Facebook resolving charges that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.

The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers’ information, and by obtaining biennial privacy audits from an independent third party.

The Commission vote to approve the final order and letters to members of the public who commented on it was 3-1-1 with Commissioner J. Thomas Rosch dissenting and Commissioner Maureen K. Ohlhausen not participating. The Commission issued a statement authored by Chairman Jon D. Leibowitz and Commissioners Edith Ramirez and Julie Brill. The Commission statement affirmed that, based on the extensive investigation of the staff, there is a strong reason to believe that the settlement is in the public interest, and that the Order’s provisions make clear that Facebook will be liable for a broad range of deceptive conduct. As set forth in his separate statement, Commissioner Rosch dissented from the acceptance of the final consent order, questioning whether Facebook’s express denial of liability provided “a reason to believe” that the settlement was “in the interest of the public” and expressing concern that the final consent order may not unequivocally cover all representations made in the Facebook environment. (FTC File No. 092-3184; the staff contact is Laura Berger, Bureau of Consumer Protection, 202-460-8364; see press release dated November 29, 2011.)

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics.  Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

The FTC’s statement provides:

The final consent order in In re Facebook, Inc. that we approve today advances the privacy interests of the nearly one billion Facebook users around the world by requiring the company to live up to its promises and submit to privacy audits. Notably, Facebook will be subject to civil penalties of up to $16,000 for each violation of the order. We intend to monitor closely Facebook’s compliance with the order and will not hesitate to seek civil penalties for any violations.
We write to address the arguments raised by our colleague, Commissioner Rosch, who opposes final approval of the order. One of his objections relates to the extent to which the order would reach the activities of third-party “apps” downloaded by consumers while using the Facebook platform. The Order broadly prohibits Facebook from misrepresenting in any manner, expressly or by implication, the extent to which it maintains the privacy or security of any information it collects from or about consumers. For a company whose entire business model rests on collecting, maintaining, and sharing people’s information, this prohibition touches on virtually every aspect of Facebook’s operations. Further, the Order sets forth clear examples of how this broad prohibition would apply in connection with apps, by prohibiting Facebook from misrepresenting (1) the extent to which it makes its users’ information accessible to apps; or (2) the steps it takes to verify the privacy or security protections that apps provide.    A statement from Facebook about an app’s conduct may well amount to a promise that Facebook is taking steps to assure the level of privacy or security that the app provides for consumers’ information.    These provisions make clear that Facebook will be liable for conduct by apps that contradicts Facebook’s promises about the privacy or security practices of these apps.
Commissioner Rosch also opposes the consent order because it includes a denial by Facebook of the substantive allegations in the Commission’s complaint.    Based on this denial, Commissioner Rosch asserts that the Commission lacks the requisite “reason to believe” that Facebook violated Section 5 of the Federal Trade Commission Act and a basis to conclude that the settlement is in “the interest of the public.”

We strongly disagree with Commissioner Rosch’s view that if the Commission allows a respondent to deny the complaint’s substantive allegations, or use language that is tantamount to a denial, there is no basis for the Commission to conclude that the respondent engaged in unlawful conduct or that the consent is in the public interest. As Commissioner Rosch is aware, an extensive investigation and detailed staff recommendation has given the Commission a strong—not just a reasonable—basis to issue its complaint in this case and to conclude that both the complaint and the resulting settlement are in the public interest. Here, as in all enforcement cases, it is the evidentiary record developed by FTC staff during the course of its investigation, not any ensuing settlement agreement, that forms the basis for action by the Commission. A respondent’s denial of liability in a consent agreement does not diminish staff’s extensive investigation or the ability of the Commission to find a reasonable basis to finalize a settlement or to enforce an order that results from settlement negotiations. Moreover, express denials of liability are consistent with the Commission’s current Rules of Practice.
We view the final consent order in this matter to be a major step forward for consumer privacy and hereby approve it.
While we do not believe that a respondent’s denial of liability is reason to reject a settlement that is in the public interest, we share Commissioner Rosch’s desire to avoid any possible public misimpression that the Commission obtains settlements when it lacks reason to believe that the alleged conduct occurred. We commend Commissioner Rosch for focusing our attention on the issue; going forward, express denials will be strongly disfavored. We also appreciate Commissioner Rosch’s suggestion that consent order language that the respondent “neither admits nor denies” a complaint’s allegations may very well be a more effective way to ensure that there are no misimpressions about the Commission’s process. Accordingly, we will consider in the coming months whether a modification to the Commission Rules of Practice is warranted.

The agreement is set out below:

The Federal Trade Commission has conducted an investigation of certain acts and practices of Facebook, Inc. (“Facebook”). Proposed Respondent, having been represented by counsel, is willing to enter into an agreement containing a consent order resolving the allegations contained in the attached draft complaint. Therefore,
IT IS HEREBY AGREED by and between Facebook, its duly authorized officers, and counsel for the Federal Trade Commission that:
1.    Proposed Respondent is a Delaware corporation with its principal office or place of business at 1601 S. California Avenue, Palo Alto, California, 94304.
2.    Proposed Respondent admits all the jurisdictional facts set forth in the draft complaint. 3.    Proposed Respondent waives:
A.    any further procedural steps;
B.    the requirement that the Commission’s decision contain a statement of findings of fact and conclusions of law; and
C.    all rights to seek judicial review or otherwise to challenge or contest the validity of the order entered pursuant to this agreement.
4.    This agreement shall not become part of the public record of the proceeding unless and until it is accepted by the Commission. If this agreement is accepted by the Commission, it, together with the draft complaint, will be placed on the public record for a period of thirty (30) days and information about it publicly released. The Commission thereafter may either withdraw its acceptance of this agreement and so notify proposed Respondent, in which event it will take such action as it may consider appropriate, or issue and serve its complaint (in such form as the circumstances may require) and decision in disposition of the proceeding.
5.    This agreement is for settlement purposes only and does not constitute an admission by proposed Respondent that the law has been violated as alleged in the draft complaint, or that the facts as alleged in the draft complaint, other than the jurisdictional facts, are true. Proposed Respondent expressly denies the allegations set forth in the complaint, except for the jurisdictional facts.
6.    This agreement contemplates that, if it is accepted by the Commission, and if such acceptance is not subsequently withdrawn by the Commission pursuant to the provisions of Section 2.34 of the Commission’s Rules, the Commission may, without further notice to proposed Respondent, (1) issue its complaint corresponding in form and substance with the attached draft complaint and its decision containing the following order in disposition of the proceeding, and (2) make information about it public. When so entered, the order shall have the same force and effect and may be altered, modified, or set aside in the same manner and within the same time provided by statute for other orders. The order shall become final upon service. Delivery of the complaint and the decision and order to proposed Respondent’s address as stated in this agreement by any means specified in Section 4.4(a) of the Commission’s Rules shall constitute service. Proposed Respondent waives any right it may have to any other means of service. The complaint may be used in construing the terms of the order, and no agreement, understanding, representation, or interpretation not contained in the order or the agreement may be used to vary or contradict the terms of the order.
7.    Proposed Respondent has read the draft complaint and consent order. Proposed Respondent understands that it may be liable for civil penalties in the amount provided by law and other appropriate relief for each violation of the order after it becomes final.
For purposes of this order, the following definitions shall apply:
1.    Unless otherwise specified, “Respondent” shall mean Facebook, its successors and assigns. For purposes of Parts I, II, and III of this order, “Respondent” shall also mean Facebook acting directly, or through any corporation, subsidiary, division, website, or other device.
2.    “Commerce” shall be defined as it is defined in Section 4 of the Federal Trade Commission Act, 15 U.S.C. § 44.
3.    “Clear(ly) and prominent(ly)” shall mean:
A.    in textual communications (e.g., printed publications or words displayed on the screen of a computer or mobile device), the required disclosures are of a type, size, and location sufficiently noticeable for an ordinary consumer to read and
comprehend them, in print that contrasts highly with the background on which they appear;
B.    in communications disseminated orally or through audible means (e.g., radio or streaming audio), the required disclosures are delivered in a volume and cadence sufficient for an ordinary consumer to hear and comprehend them;
C.    in communications disseminated through video means (e.g., television or streaming video), the required disclosures are in writing in a form consistent with subpart (A) of this definition and shall appear on the screen for a duration sufficient for an ordinary consumer to read and comprehend them, and in the same language as the predominant language that is used in the communication; and
D.    in all instances, the required disclosures: (1) are presented in an understandable language and syntax; and (2) include nothing contrary to, inconsistent with, or in mitigation of any statement contained within the disclosure or within any document linked to or referenced therein.
4.    “Covered information” shall mean information from or about an individual consumer including, but not limited to: (a) a first or last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a mobile or other telephone number; (e) photos and videos; (f) Internet Protocol (“IP”) address, User ID or other persistent identifier; (g) physical location; or (h) any information combined with any of (a) through (g) above.
5.    “Nonpublic user information” shall mean covered information that is restricted by one or more privacy setting(s).
6.    “Privacy setting” shall include any control or setting provided by Respondent that allows a user to restrict which individuals or entities can access or view covered information.
7.    “Representatives” shall mean Respondent’s officers, agents, servants, employees, attorneys, and those persons in active concert or participation with them who receive actual notice of this Order by personal service or otherwise.
8.    “Third party” shall mean any individual or entity that uses or receives covered information obtained by or on behalf of Respondent, other than: (1) a service provider of Respondent that (i) uses the covered information for and at the direction of Respondent and no other individual or entity and for no other purpose; and (ii) does not disclose the covered information, or any individually identifiable information derived from such covered information, except for, and at the direction of, Respondent, for the purpose of providing services requested by a user and for no other purpose; or (2) any entity that uses the covered information only as reasonably necessary: (i) to comply with applicable law, regulation, or legal process, (ii) to enforce Respondent’s terms of use, or (iii) to
detect, prevent, or mitigate fraud or security vulnerabilities.
9.    “User” shall mean an identified individual from whom Respondent has obtained information for the purpose of providing access to Respondent’s products and services.
IT IS ORDERED that Respondent and its representatives, in connection with any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information, including, but not limited to:
A.    its collection or disclosure of any covered information;
B.    the extent to which a consumer can control the privacy of any covered information maintained by Respondent and the steps a consumer must take to implement such controls;
C.    the extent to which Respondent makes or has made covered information accessible to third parties;
D.    the steps Respondent takes or has taken to verify the privacy or security protections that any third party provides;
E.    the extent to which Respondent makes or has made covered information accessible to any third party following deletion or termination of a user’s account with Respondent or during such time as a user’s account is deactivated or suspended; and
F.    the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any third party, including, but not limited to, the U.S.-EU Safe Harbor Framework.
IT IS FURTHER ORDERED that Respondent and its representatives, in connection with any product or service, in or affecting commerce, prior to any sharing of a user’s nonpublic user information by Respondent with any third party, which materially exceeds the restrictions imposed by a user’s privacy setting(s), shall:
A.    clearly and prominently disclose to the user, separate and apart from any “privacy policy,” “data use policy,” “statement of rights and responsibilities” page, or other similar document: (1) the categories of nonpublic user information that will be disclosed to such third parties, (2) the identity or specific categories of such third parties, and (3) that such sharing exceeds the restrictions imposed by the privacy
setting(s) in effect for the user; and B.    obtain the user’s affirmative express consent.
Nothing in Part II will (1) limit the applicability of Part I of this order; or (2) require Respondent to obtain affirmative express consent for sharing of a user’s nonpublic user information initiated by another user authorized to access such information, provided that such sharing does not materially exceed the restrictions imposed by a user’s privacy setting(s). Respondent may seek modification of this Part pursuant to 15 U.S.C. §45(b) and 16 C.F.R. 2.51(b) to address relevant developments that affect compliance with this Part, including, but not limited to, technological changes and changes in methods of obtaining affirmative express consent.
IT IS FURTHER ORDERED that Respondent and its representatives, in connection with any product or service, in or affecting commerce, shall, no later than sixty (60) days after the date of service of this order, implement procedures reasonably designed to ensure that covered information cannot be accessed by any third party from servers under Respondent’s control after a reasonable period of time, not to exceed thirty (30) days, from the time that the user has deleted such information or deleted or terminated his or her account, except as required by law or where necessary to protect the Facebook website or its users from fraud or illegal activity. Nothing in this paragraph shall be construed to require Respondent to restrict access to any copy of a user’s covered information that has been posted to Respondent’s websites or services by a user other than the user who deleted such information or deleted or terminated such account.
IT IS FURTHER ORDERED that Respondent shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information. Such program, the content and implementation of which must be documented in writing, shall contain controls and procedures appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the covered information, including:
A.    the designation of an employee or employees to coordinate and be responsible for the privacy program.
B.    the identification of reasonably foreseeable, material risks, both internal and external, that could result in Respondent’s unauthorized collection, use, or disclosure of covered information and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management,
including training on the requirements of this order, and (2) product design, development, and research.
C.    the design and implementation of reasonable controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those controls and procedures.
D.    the development and use of reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from Respondent and requiring service providers, by contract, to implement and maintain appropriate privacy protections for such covered information.
E.    the evaluation and adjustment of Respondent’s privacy program in light of the results of the testing and monitoring required by subpart C, any material changes to Respondent’s operations or business arrangements, or any other circumstances that Respondent knows or has reason to know may have a material impact on the effectiveness of its privacy program.
IT IS FURTHER ORDERED that, in connection with its compliance with Part IV of this order, Respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. A person qualified to prepare such Assessments shall have a minimum of three (3) years of experience in the field of privacy and data protection. All persons selected to conduct such Assessments and prepare such reports shall be approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, in his or her sole discretion. Any decision not to approve a person selected to conduct such Assessments shall be accompanied by a writing setting forth in detail the reasons for denying such approval. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for twenty (20) years after service of the order for the biennial Assessments. Each Assessment shall:
A.    set forth the specific privacy controls that Respondent has implemented and maintained during the reporting period;
B.    explain how such privacy controls are appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the covered information;
C.    explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of this order; and
D.    certify that the privacy controls are operating with sufficient effectiveness to
provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.
Each Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by Respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.
IT IS FURTHER ORDERED that Respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy of:
A.    for a period of three (3) years from the date of preparation or dissemination, whichever is later, all widely disseminated statements by Respondent or its representatives that describe the extent to which Respondent maintains and protects the privacy, security, and confidentiality of any covered information, including, but not limited to, any statement related to a change in any website or service controlled by Respondent that relates to the privacy of such information, along with all materials relied upon in making such statements, and a copy of each materially different privacy setting made available to users;
B.    for a period of six (6) months from the date received, all consumer complaints directed at Respondent or forwarded to Respondent by a third party, that relate to the conduct prohibited by this order and any responses to such complaints;
C.    for a period of five (5) years from the date received, any documents, prepared by or on behalf of Respondent, that contradict, qualify, or call into question Respondent’s compliance with this order;
D.    for a period of three (3) years from the date of preparation or dissemination, whichever is later, each materially different document relating to Respondent’s attempt to obtain the consent of users referred to in Part II above, along with documents and information sufficient to show each user’s consent; and documents sufficient to demonstrate, on an aggregate basis, the number of users for whom each such privacy setting was in effect at any time Respondent has attempted to obtain and/or been required to obtain such consent; and
E.    for a period of three (3) years after the date of preparation of each Assessment required under Part V of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training
materials, and assessments, for the compliance period covered by such Assessment.
IT IS FURTHER ORDERED that Respondent shall deliver a copy of this order to (1) all current and future principals, officers, directors, and managers; (2) all current and future employees, agents, and representatives having supervisory responsibilities relating to the subject matter of this order, and (3) any business entity resulting from any change in structure set forth in Part VIII. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part VIII, delivery shall be at least ten (10) days prior to the change in structure.
IT IS FURTHER ORDERED that Respondent shall notify the Commission within fourteen (14) days of any change in Respondent that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line In the Matter of Facebook, Inc., FTC File No.[    ]. Provided, however, that in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of any such notice is contemporaneously sent to the Commission at Debrief@ftc.gov.
IT IS FURTHER ORDERED that Respondent, within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of their own compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, Respondent shall submit additional true and accurate written reports.
This order will terminate twenty (20) years from the date of its issuance, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:
A.    any Part of this order that terminates in fewer than twenty (20) years; and
B.    this order if such complaint is filed after the order has terminated pursuant to this Part.
Provided, further, that if such complaint is dismissed or a federal court rules that Respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that this order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.



Leave a Reply