The Federal Trade Commission (“FTC”) brought a complaint against Facebook, Inc for violation of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.
According to the FTC, Facebook has collected extensive “profile information” about its users violating the FTC Act on eight separate counts of unfair or deceptive acts. Specifically, the FTC found that Facebook:
- mislead users by representing that they could restrict access to their profile information to specific groups through their Privacy Profile Settings, when in fact such information could be accessed by their Friends’ Platform Applications;
- mislead users by advertising that its December Privacy Changes would provide users “more control” and allow them to preserve their “old settings” while failing to disclose that the Privacy Changes overrode existing settings, and made certain information available to public, facts which would be material to consumers;
- unfairly applied material changes to privacy policies relating to private information retroactively and without user consent;
- mislead users by representing that Platform Applications accessed only information necessary for them to operate when, in fact, Facebook provided them with unrestricted access to unnecessary user profile information;
- mislead users by representing that Facebook did not provide advertisers with information about users when, in fact, it did;
- mislead users by representing that Platform Applications that received a Verified Apps badge had undergone and exceeded a security review by Facebook when, in fact, the review process did not exceed standards;
- mislead users by representing that after a user deleted or deactivated her account, Facebook would not provide third parties access to profile information when, in fact, it allowed access to uploaded photos or videos;
- mislead users by representing that Facebook complied with the Safe Harbor Privacy Principles when, in fact, it did not adhere to the Principles of Notice and Choice.
On July 27, 2012, the FTC issued a decision and order settling the matter with Facebook. According to the order, Facebook undertook to:
- not misrepresent the extent to which it maintains the privacy or security of covered information;
- prior to any sharing of a user’s nonpublic user information, it will provide comprehensive disclosure and obtain user’s affirmative express consent;
- implement procedures to ensure that covered information cannot be accessed by any third party after a reasonable period of time, not to exceed thirty (30) days, from the time that the user has deleted such information or deleted or terminated his or her account, except as required by law;
- implement a comprehensive privacy program to (1) address privacy risks related to products and services, and (2) protect the privacy of covered information;
- obtain biennial assessments from third-party professional for the next twenty (20) years;
- Submit to the FTC for auditing and reporting.
More information about the case against Facebook are available at http://www.ftc…