Facebook is settling with the Federal Trade Commission over charges it deceived consumers when it changed its privacy settings in 2009, agreeing to get permission from users before changing the way it shares data and submitting to independent third-party audits of its privacy practices every two years for the next 20 years.
As part of the settlement announced on Tuesday, Facebook has also agreed to develop and maintain a comprehensive privacy program, build privacy protections into its products, and bar access to Facebook user data 30 days or more after users delete their accounts.
“We think we came up with something that protects consumers on Facebook and allows Facebook to innovate going forward,” FTC Chairman Jon Leibowitz said during a conference call.
FTC does not have authority to impose a fine in such settlements but it can charge penalties of up to $16,000 per violation per day if Facebook fails to abide by the settlement, Leibowitz said.
The agency outlined eight specific unfair or deceptive practices Facebook allegedly engaged in. These include making changes to privacy policies in 2009 without gaining the consent of users and giving third-party application providers access to much more information about users than promised. The commission also alleged that Facebook shared user information with advertisers despite promises to the contrary and that it continued to allow access to user content even after users deleted their accounts.
Facebook founder Mark Zuckerberg wrote in his blog that the settlement is modeled after other recent agreements with Google and Twitter.
"Today, the FTC announced a similar agreement with Facebook. These agreements create a framework for how companies should approach privacy in the United States and around the world,” he wrote.
Zuckerberg said the company was appointing two new corporate officers. Erin Egan, a former partner in global privacy and data security practice Covington & Burling, will become chief privacy officer for policy, while Michael Richter, Facebook's chief privacy counsel, becomes chief privacy officer for products.
"Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised," Zuckerberg wrote.
The Electronic Privacy Information Center, which filed the original complaint with FTC against Facebook, said the settlement is fair and will give users more control over the information they post. But EPIC President Marc Rotenberg told reporters in a conference call that he was disappointed FTC did not require Facebook to change its privacy settings back to what they were before the social-networking site changed them in 2009. “As a consequence, the company will be able to use information we believe was improperly obtained,” Rotenberg said.
While some lawmakers praised the settlement, including House Energy and Commerce Communications Subcommittee ranking member Anna Eshoo, D-Calif., Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., said the settlement underscores the need for Congress to pass legislation providing all U.S. consumers with basic privacy protections.
“Ultimately, I believe legislation is needed that empowers consumers to protect their personal information from companies surreptitiously collecting and using that personal information for profit,” Rockefeller said in a statement. “It’s unacceptable for any company, including Facebook, to change customer privacy settings without their knowledge or consent, especially a company with 800 million users.”
The ACLU’s Chris Conley agreed. “To keep pace with new technology, we also need new laws and tools like Do Not Track and comprehensive privacy legislation to help us safeguard our own personal information. We shouldn’t have to struggle with complicated and constantly shifting privacy settings just to keep control of our own personal information,” Conley said in a statement.
Some groups, however, argued that the settlement with Facebook and previous agreements with Google and Twitter show that the current mix of FTC oversight and industry self-regulation works.
“The latest action from the FTC highlights the fact the U.S. has a healthy self-regulatory privacy system in place that protects consumers while still allowing for innovation,” Information Technology & Innovation Foundation Senior Analyst Daniel Castro said in a statement. “Most of the concerns presented to the FTC in this inquiry have long since been resolved to the satisfaction of all parties.”