Facebook’s 2011 FTC Consent Order
- In Facebook Case, Ninth Circuit Ignores Privacy Risks of Visits to Healthcare Websites: In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites' explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users' data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the "data show only that Plaintiffs searched and viewed publicly available health information..." EPIC filed an amicus brief in the case, arguing that "consent is not an acid rinse that dissolves common sense." In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations. (Dec. 7, 2018)
- Facebook's Response to Congress Provides More Evidence of Consent Order Violations: Late Friday afternoon, Facebook submitted over 700 pages of responses to questions from members of Congress following Mark Zuckerberg's testimony in April. Facebook has now admitted that it provided developers and device makers access to personal data despite publicly stating that it had discontinued the practice. In April EPIC submitted a detailed letter to Congress, explaining that the Cambridge Analytica breach could have been avoided if the FTC had enforced the 2011 Consent Order. That Consent Order was the result of extensive complaints EPIC and consumer organizations filed with the FTC in 2009 and 2010. In March, the Acting Director of the FTC stated "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jul. 2, 2018)
- EPIC Urges Appeals Court to Protect Consumers Against Invasive Cookie Tracking Practices (Jun. 27, 2018) +
- US Consumer Groups Urge FTC To Examine 'Deceived by Design' Practices (Jun. 27, 2018) +
- At Senate Hearing, Former FTC CTO States That Facebook Violated FTC Consent Order (Jun. 19, 2018) +
- EPIC Urges Senate Committee to Focus on Consent Order with Facebook (Jun. 19, 2018) +
- Facebook Overrode Users’ Privacy Settings And Allowed Device Makers To Access Personal Data (Jun. 5, 2018) +
- EPIC Obtains Partial Release of 2017 Facebook Audit (Apr. 20, 2018) +
- Senator Blumenthal Calls On FTC To Enforce Consent Order Against Facebook (Apr. 20, 2018) +
- EPIC Urges Senate to Focus on FTC Consent Order with Facebook (Apr. 9, 2018) +
- UPDATE - EPIC, Consumer Groups Urge FTC to Investigate Facebook's Use of Facial Recognition (Apr. 6, 2018) +
- EPIC, Consumer Groups to Urge Federal Trade Commission to Investigate Facebook's Use of Facial Recognition (Apr. 5, 2018) +
- State AGs Launch Facebook Investigation (Mar. 26, 2018) +
- FTC Confirms Investigation Into Facebook about 2011 Consent Order (Mar. 26, 2018) +
- EPIC FOIAs FTC, Seeks Facebook's Privacy Assessments (Mar. 20, 2018) +
- EPIC, Consumer Groups Urge FTC To Investigate Facebook (Mar. 20, 2018) +
- Facebook "Breach" Highlights Failure of FTC to Enforce Consent Orders (Mar. 19, 2018) +
- EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees (Feb. 13, 2018) +
- EPIC Calls for Greater FTC Enforcement (Sep. 28, 2017) +
- EPIC Urges Public Comments on FTC Settlement with Uber (Sep. 6, 2017) +
- Following EPIC Complaint, Uber Agrees To Stop Tracking Riders (Aug. 29, 2017) +
- After EPIC Privacy Complaint, Uber Settles with FTC (Aug. 15, 2017) +
- Rep. Blackburn Proposes Online Privacy Bill, Would Preempt Stronger State Protections (May. 19, 2017) +
- EPIC, CDD Charge WhatsApp Policy Change Unlawful, Urge FTC to Act (Aug. 29, 2016) +
- With New Policy Changes, Facebook Tracks Users Across the Web (Feb. 4, 2015) +
- Facebook Responds to EPIC Complaint About "Emotions Study" (Oct. 2, 2014) +
- European Facebook Users Privacy Lawsuit Moves Forward (Aug. 26, 2014) +
- Following EPIC Complaint, Senator Seeks Investigation of Facebook User Manipulation Study (Jul. 17, 2014) +
- EPIC Challenges Facebook's Manipulation of Users, Files FTC Complaint (Jul. 3, 2014) +
- EPIC Urges FTC to Protect Snapchat Users' Privacy (Jun. 10, 2014) +
- Federal Trade Commission Urges Court to Protect Student Privacy (May. 29, 2014) +
- EU Court Rules Google Must Respect Right to Delete Links (May. 13, 2014) +
- EPIC's Snapchat Privacy Complaint Results in 20-Year FTC Consent Order (May. 8, 2014) +
- FTC Responds to EPIC Complaint on WhatsApp and Privacy (Apr. 10, 2014) +
- Federal Trade Commission Backs Users in Facebook Privacy Case (Mar. 21, 2014) +
- WhatsApp Founder Responds to EPIC Privacy Complaint (Mar. 18, 2014) +
- EPIC Urges FTC Investigation of WhatsApp Sale to Facebook (Mar. 6, 2014) +
- EPIC Files Amicus Brief in Facebook Consumer Privacy Case, Urges Rejection of Settlement (Feb. 21, 2014) +
- Instagram Retreats on Changes to Terms of Service, Cites User Opposition (Dec. 21, 2012) +
- Facebook Updates Privacy Controls, Removes Profiles Safeguard (Dec. 13, 2012) +
- Judge Rejects Settlement in Facebook "Sponsored Stories" Case (Aug. 21, 2012) +
- FTC Finalizes Settlement with Facebook (Aug. 10, 2012) +
- Judge Skeptical of Facebook Settlement (Aug. 3, 2012) +
- Facebook Timeline Changes User Privacy Settings. Again. (Dec. 15, 2011) +
- Federal Trade Commission Announces Settlement in EPIC Facebook Privacy Complaint (Nov. 29, 2011) +
- FTC Releases Agenda for Facial Recognition Workshop (Nov. 22, 2011) +
- WSJ: Facebook Close to Settlement with FTC over EPIC Complaint (Nov. 10, 2011) +
- Sen. Rockefeller Requests FTC Report on Facial Recognition Technology (Oct. 20, 2011) +
- Facebook Makes Some Changes, Privacy Complaints Still Pending (Aug. 29, 2011) +
- Facebook Makes Changes to Facial Recognition; Still Relying on Opt-Out (Jul. 27, 2011) +
- Congressman Markey Commends EPIC, Privacy Groups for Filing Facebook Complaint (Jun. 14, 2011) +
- EPIC Files Complaint, Urges Investigation of Facebook's Facial Recognition Techniques (Jun. 10, 2011) +
- Facebook Resumes Plan to Disclose User Home Addresses and Mobile Phone Numbers (Mar. 2, 2011) +
- Congressman Barton and Markey Challenge Facebook on Disclosure of Home Addresses, Mobile Phone Numbers (Feb. 2, 2011) +
- Facebook Drops Plan to Disclose Users' Home Addresses and Personal Phone Numbers (Jan. 18, 2011) +
- Congressmen Question Facebook About Latest Privacy Breach (Oct. 20, 2010) +
- Facebook "Places" Embeds Privacy Risks, Complicated and Ephemeral Opt-Out Unfair to Users (Aug. 19, 2010) +
- Federal Trade Commission Takes Action Against Twitter, Social Network Service Settles Charges It Deceived Consumers (Jun. 24, 2010) +
- Congress Pursues Investigation of Google and Facebook's Business Practices (Jun. 1, 2010) +
- Facebook Expected to Announce Privacy Changes (May. 25, 2010) +
- New Facebook Privacy Complaint Filed with Trade Commission (May. 5, 2010) +
- Senators Oppose Facebook Changes, Schumer Urges Trade Commission to Regulate Social Network Services (Apr. 27, 2010) +
- EPIC’s Facebook Complaint of "particular interest" to FTC (Jan. 19, 2010) +
- Privacy Groups File Amended Complaint regarding Facebook (Jan. 14, 2010) +
- EPIC Seeks Facebook Communications Detailing Privacy Changes (Dec. 29, 2009) +
- EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission (Dec. 17, 2009) +
- Facebook Asks Users to Review Privacy Settings, Recommends Privacy Options, Questions Remain (Dec. 9, 2009) +
More top news
2004: Mark Zuckerberg starts Facebook as a social networking site for Harvard Undergraduates
2006: Facebook launches "News Feed," which allowed Facebook to post information directly to a user's page. Within 24 hours, hundreds of thousands of the site's users protested, prompting Mark Zuckerberg to write an open letter to Facebook users apologizing for doing a "bad job of explaining what the new features were and an even worse job of giving you control of them." Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.
2007: Facebook launches Facebook Beacon, a program that broadcast users' private online purchases on their friends' News Feeds. Users were given no advance warning of the program and could not opt out. As a result of widespread criticism, Facebook shut down Beacon in 2009.
June 11, 2008: EPIC President Marc Rotenberg testifies before Congress on social network privacy:
Users of social networking sites are also exposed to the information collection practices of third party social networking applications. On Facebook, installing applications grants this third party application provider access to nearly all of a user's information. Significantly, third party applications do not only access the information about a given user that has added the application. Applications by default get access to much of the information about that user's friends and network members that the user can see.
February 4, 2009: Facebook changes its Terms of Service. The revised TOS allow Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could "deactivate" their account, but all the information would be retained by Facebook, rather than deleted. EPIC plans to file a complaint with the FTC alleging that the new TOS violated the FTC Act.
February 18, 2009: On the eve of EPIC's FTC complaint, Facebook backs down on its revised TOS, announcing that it will restore the original TOS.
December 17, 2009: EPIC and consumer organizations file a complaint with the FTC alleging that Facebook's privacy practices were unfair and deceptive. The complaint warns that Facebook granted third party apps unrestricted access to user data without users' knowledge or consent.
July 29, 2010: EPIC urges Congress to strengthen privacy laws for Facebook users. In prepared testimony, EPIC President Marc Rotenberg urged lawmakers to update federal law to protect the privacy of Facebook users, explaining that Facebook's constant changes to its privacy settings have made it virtually impossible for users to control who gets access to their information.
September 29, 2011: EPIC writes a letter to the FTC urging it to stop Facebook from using cookies to secretly track Internet users "even after they have logged off of Facebook."
November 29, 2011: Facebook settles FTC charges that it deceived consumers by failing to keep privacy promises. The FTC issued an eight-count complaint against Facebook alleging unfair and deceptive practices by Facebook:
- In December 2009, Facebook changed its website so certain information that users may have designated as private - such as their Friends List - was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data - data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences - for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
Under the proposed FTC Order, Facebook was:
- barred from making misrepresentations about the privacy or security of consumers' personal information;
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
In its announcement of the settlement, the FTC noted that "Facebook's privacy practices were the subject of complaints filed with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups."
December 27, 2011: EPIC's comments urge the FTC to strengthen the proposed order. Specifically, EPIC's recommended that the FTC require Facebook to:
- Allow users to access all of the data that Facebook keeps about them;
- Cease creating facial recognition profiles without users' affirmative consent;
- Make Facebook's privacy audits publicly available to the greatest extent possible;
- Cease secret post-log out tracking of users across websites.
In a separate letter, EPIC also asked the Commission to determine whether Facebook's Timeline, which made archived and inaccessible information widely available without the consent of the user, was consistent with the terms of the Order.
August 10, 2012: The FTC adopts a Final Order against Facebook without any modifications.
2012 - 2018: The FTC never charges Facebook with a single violation of the Consent Order despite numerous complaints.
March 20, 2018: EPIC and consumer groups urge the FTC to investigate Facebook following revelations that Facebook permitted the disclosure of 87 million user records to the controversial political data mining firm Cambridge Analytica.
March 26, 2018: The FTC confirms an investigation into Facebook.
- EPIC FTC Complaint In re Facebook (filed Dec. 17, 2009)
- EPIC FTC Supplemental Complaint In re Facebook (filed Jan. 14, 2010)
- FTC Complaint In the Matter of Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011).
- FTC Press Release Announcing Proposed Consent Order (Nov. 29, 2011).
- FTC Analysis of Proposed Consent Order to Aid in Public Comment
- EPIC Comments on Proposed Consent Order (Dec. 27, 2011).
- EPIC Letter to the FTC Concerning Facebook Timeline (Dec. 27, 2011)
- FTC Decision and Order (Aug. 10, 2012)
- EPIC Letter to FTC Urging Investigation into Facebook (Mar. 20, 2018)