Facebook has settled Federal Trade Commission charges that it deceived consumers by not living up to privacy assurances it gave its users. The settlement includes the promise that Facebook will try to do business only with ISPs who can protect the privacy of covered information they get from Facebook.
That is according to the FTC, which said the social networking site had agreed, going forward, to give consumers "clear and prominent" notice when information is shared and would get express consent -- so-called opt-in -- of any sharing beyond established privacy settings.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said FTC Chairman Jon Leibowitz. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."
The complaint had alleged that Facebook had made public some information users may have designated as private, had misrepresented how much access third-party apps had to to users info, had said it had a "verified Apps" program to insure the security of apps, but didn't, promised not to share personal information with advertisers, then did so, and more.
The settlement prevents Facebook from making any further deceptive claims, requires it to get approval before it changes the way it shares data, and requires third-party audits of its privacy practices for the next 20 years. It also requires it to institute a comprehensive privacy program, including requiring that it take reasonable steps to make sure it "uses" ISPs "capable of appropriately protecting the privacy of covered information they receive from Respondent and requiring service providers, by contract, to implement and maintain appropriate privacy protections for such covered information."
Facebook is specifically barred from making misrepresentations about the privacy or security of users' personal information, and its required to:
- Obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- Prevent anyone from accessing a user's material no more than 30 days after the user has deleted his or her account;
- Establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- Within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
The FTC action comes in response to complaints by the Electronic Privacy Information Center and a consumer group coalition.
Facebook waives any challenge of the settlement, which does not represent a finding that it violated any laws.