Facebook’s 2011 FTC Consent Order
2004: Mark Zuckerberg starts Facebook as a social networking site for Harvard Undergraduates
2006: Facebook launches “News Feed,” which allowed Facebook to post information directly to a user’s page. Within 24 hours, hundreds of thousands of the site’s users protested, prompting Mark Zuckerberg to write an open letter to Facebook users apologizing for doing a “bad job of explaining what the new features were and an even worse job of giving you control of them.” Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.
2007: Facebook launches Facebook Beacon, a program that broadcast users’ private online purchases on their friends’ News Feeds. Users were given no advance warning of the program and could not opt out. As a result of widespread criticism, Facebook shut down Beacon in 2009.
June 11, 2008: EPIC President Marc Rotenberg testifies before Congress on social network privacy:
February 4, 2009: Facebook changes its Terms of Service. The revised TOS allow Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC plans to file a complaint with the FTC alleging that the new TOS violated the FTC Act.
February 18, 2009: On the eve of EPIC’s FTC complaint, Facebook backs down on its revised TOS, announcing that it will restore the original TOS.
December 17, 2009: EPIC and consumer organizations file a complaint with the FTC alleging that Facebook’s privacy practices were unfair and deceptive. The complaint warns that Facebook granted third party apps unrestricted access to user data without users’ knowledge or consent.
July 29, 2010: EPIC urges Congress to strengthen privacy laws for Facebook users. In prepared testimony, EPIC President Marc Rotenberg urged lawmakers to update federal law to protect the privacy of Facebook users, explaining that Facebook’s constant changes to its privacy settings have made it virtually impossible for users to control who gets access to their information.
September 29, 2011: EPIC writes a letter to the FTC urging it to stop Facebook from using cookies to secretly track Internet users “even after they have logged off of Facebook.”
November 29, 2011: Facebook settles FTC charges that it deceived consumers by failing to keep privacy promises. The FTC issued an eight-count complaint against Facebook alleging unfair and deceptive practices by Facebook:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
Under the proposed FTC Order, Facebook was:
- barred from making misrepresentations about the privacy or security of consumers’ personal information;
- required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
In its announcement of the settlement, the FTC noted that “Facebook’s privacy practices were the subject of complaints filed with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups.”
December 27, 2011: EPIC’s comments urge the FTC to strengthen the proposed order. Specifically, EPIC’s recommended that the FTC require Facebook to:
- Allow users to access all of the data that Facebook keeps about them;
- Cease creating facial recognition profiles without users’ affirmative consent;
- Make Facebook’s privacy audits publicly available to the greatest extent possible;
- Cease secret post-log out tracking of users across websites.
In a separate letter, EPIC also asked the Commission to determine whether Facebook’s Timeline, which made archived and inaccessible information widely available without the consent of the user, was consistent with the terms of the Order.
August 10, 2012: The FTC adopts a Final Order against Facebook without any modifications.
2012 – 2018: The FTC never charges Facebook with a single violation of the Consent Order despite numerous complaints.
March 20, 2018: EPIC and consumer groups urge the FTC to investigate Facebook following revelations that Facebook permitted the disclosure of 87 million user records to the controversial political data mining firm Cambridge Analytica.
March 26, 2018: The FTC confirms an investigation into Facebook.
July 24, 2019: The FTC announces a proposed settlement to end its investigation into Facebook. This was the first fine against Facebook since EPIC and a coalition of privacy organizations filed a complaint with the Commission about the company’s businesses practices back in 2009. The FTC fined Facebook $5 billion, but required no meaningful changes to the business practices that violate user privacy.
July 26, 2019: EPIC files a Motion to Intervene in United States v. Facebook to protect the interests of Facebook users.
- EPIC FTC Complaint In re Facebook (filed Dec. 17, 2009)
- EPIC FTC Supplemental Complaint In re Facebook (filed Jan. 14, 2010)
- FTC Complaint In the Matter of Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011).
- FTC Press Release Announcing Proposed Consent Order (Nov. 29, 2011).
- FTC Analysis of Proposed Consent Order to Aid in Public Comment
- EPIC Comments on Proposed Consent Order (Dec. 27, 2011).
- EPIC Letter to the FTC Concerning Facebook Timeline (Dec. 27, 2011)
- FTC Decision and Order (Aug. 10, 2012)
- EPIC Letter to FTC Urging Investigation into Facebook (Mar. 20, 2018)
- EPIC FOIA Request to FTC Requesting All Consumer Complaints Made During Consent Order (Mar. 13, 2019)
- EPIC FOIA Request to FTC Requesting Records About FTC Associate Director of Enforcement James A. Kohm after the FTC Issued the 2011 Consent Order (May 29, 2019)
- Records of Director Kohm’s Meeting Regarding Facebook (July 9, 2019)
- EPIC FOIA Request to FTC Requesting the Proposed Settlement with Facebook, Including Dissenting Opinions (July 15, 2019)
- Complaint for Civil Penalties, Injunction, and Other Relief (July 30, 2019)
- Plaintiff’s Consent Motion for Entry of the Stipulated Order (July 30, 2019)
- Statement of Chairman Joe Simons and Commissioner’s Noah Phillips and Christine Wilson (July 30, 2019)
- Dissenting Statement of Commissioner Rohit Chopra (July 30, 2019)
- Dissenting Statement of Commissioner Rebecca Slaughter (July 30, 2019)
- EPIC FOIA Request to FTC Requesting All Consumer Complaints Made During Consent Order Until After the Proposed Settlement with Facebook (July 25, 2019)
- Complaints, Request for Investigation, and Similar “Complaint-Like” Records Made by Third Parties to the FTC (part 1, part 2) (Sept. 20, 2019)