On November 29, the Federal Trade Commission announced that it had entered an agreement and consent order with Facebook Inc. to settle charges made by the FTC that Facebook’s changes to its website’s privacy settings in December 2009 had threatened the “health and safety” of Facebook’s users. As alleged in the FTC’s complaint, Facebook’s 2009 website changes made aspects of users’ profiles, such as name, picture, gender and friends lists public by default, retroactively overriding their existing privacy preferences without their consent. The FTC charged that these changes were in violation of Facebook’s own published privacy policy and, as a result, Facebook engaged in deceptive practices in violation of Section 5 of the FTC Act.
Under the threat of steep civil penalties, the settlement order bars Facebook from making future misrepresentations about its privacy practices and requires Facebook to take steps to ensure that it will live up to the promises it makes to its subscribers to protect the privacy and security of their information. Most significantly, as part of the settlement, Facebook agreed that in the future it would give its users clear and prominent notice and obtain their affirmative express consent before changing the way their personal information will be shared if those changes would override their previous privacy settings. This order is expected to fundamentally change the way Facebook rolls out new features going forward. In the past, Facebook has often implemented new features and asked users to “opt out” if they do not want them. In light of the settlement agreement, users of the social network will very likely have to “opt in” to new features.
Writing in his blog in response to this FTC action, Facebook’s founder and chief executive officer Mark Zuckerberg admitted that the company had made “a small number of high profile mistakes” such as “poor execution as we transitioned our privacy model two years ago.” Zuckerberg also said that he is “committed to making Facebook the leader in transparency and control around privacy.” Not to be outdone, the FTC’s Division of Consumer and Business Education posted its own blog commentary entitled “Where Facebook Went Wrong” in an effort to guide businesses on their own privacy promises and practices so that they could avoid a similar fate to Facebook, warning that “what businesses say about the personal information they collect from you has to line up with their day-to-day procedures.”
As a result of the settlement, Facebook appointed two attorneys as chief privacy officers, one to oversee product-related privacy issues and the other to oversee policy-related privacy decisions. The settlement also requires Facebook to submit to biannual privacy audits for the next 20 years. If Facebook violates the agreement, it could be fined $16,000 per day per violation.