In re Facebook II

Top News

  • EPIC, CDD Charge WhatsApp Policy Change Unlawful, Urge FTC to Act: EPIC and the Center for Digital Democracy have filed a complaint with the FTC concerning WhatsApp’s plan to transfer user data, including personal phone numbers, to Facebook. This reversal contradicts WhatsApp’s previous promises to users that their personal information would not be disclosed and would not be used for marketing purposes. EPIC said that WhatsApp change in business practices is unlawful and that the FTC is obligated to act. EPIC previously filed a complaint with the FTC over Facebook’s acquisition of WhatsApp in 2014. In response, the FTC warned the two companies they must honor their privacy promises to users. The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." (Aug. 29, 2016)
  • With New Policy Changes, Facebook Tracks Users Across the Web: Over the objections of consumer privacy organizations, Facebook has implemented policy changes that allow the company to track users across the web without consent. The Dutch data protection commissioner launched an investigation after the original announcement. This week the a German privacy agency announced a similar investigation. Last year, EPIC and a coalition of consumer privacy groups urged the FTC to halt Facebook's plan to collect web-browsing information from its users. Facebook is already under a 20 year consent decree for changing users' privacy settings. The consent decree resulted from complaints brought by EPIC and others in 2009 and 2010. (Feb. 4, 2015)
  • Facebook Revises Privacy Policy: Facebook has again revised its privacy policy. Despite the new graphics, Facebook continues to collect and disclose enormous amounts of user data without meaningful consent. The use of location data has expanded dramatically. "We collect information from or about the computers, phones, or other devices where you install or access our Services," states Facebook. These include "device locations, including specific geographic locations, such as through GPS, Bluetooth, or Wi-Fi signals." Facebook is currently under a 20 year consent decree with the Federal Trade Commission as a consequence of a complaint brought by EPIC and coalition of consumer privacy organizations when the company changed the privacy settings of users. More recently consumer organizations in the US and Europe have objected to Facebook's decision to track the web activities of users and to profile offline purchase. Privacy groups have also objected to Facebook's manipulation of user news feeds. For more information, see EPIC: Facebook and EPIC: In re Facebook. (Dec. 5, 2014)
  • Facebook Responds to EPIC Complaint About "Emotions Study": Facebook has announced revised guidelines concerning user data the company discloses to researchers. In 2012, Facebook subjected 700,000 users to an "emotional" test by manipulating their News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In response, EPIC filed a formal complaint to the Federal Trade Commission. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has also asked the FTC to require that Facebook make public the News Feed algorithm. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy, as a result of complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. The new guidelines have improved Facebook's research process, but they still raise questions about human subject testing by advertising companies. EPIC still believes the NewsFeed algorithm should be made public. For more information, see EPIC: In re: Facebook (Psychological Study) and EPIC: Federal Trade Commission. (Oct. 2, 2014)
  • European Facebook Users Privacy Lawsuit Moves Forward: A group of over 25,000 European Facebook users may proceed with their lawsuit against Facebook. The users, led by privacy activist Max Schrems, sued Facebook in a court in Vienna. The users charge Facebook with violating EU privacy law by improperly handling users' data. Now that the court has approved the class action suit, Facebook must respond to the complaints. In 2011, Schrems brought a similar lawsuit against Facebook in an Irish court. In the same year, Facebook signed a consent order with the Federal Trade Commission, following a complaint filed by EPIC and a group of American consumer privacy organizations. EPIC has also filed an amicus brief in a federal class action lawsuit, opposing Facebook's use of children's images for advertising purposes. In 2013, EPIC gave the International Privacy Champion Award to Max Schrems, calling him "an innovative and effective spokesperson for the right to privacy." For more information, see EPIC: In re Facebook. (Aug. 26, 2014)
  • Following EPIC Complaint, Senator Seeks Investigation of Facebook User Manipulation Study: Senator Mark Warner has asked the Federal Trade Commission to investigate the legality of Facebook's emotional manipulation study. In a letter to the Commission, Senator Warner stated that "it is not clear whether Facebook users were adequately informed and given an opportunity to opt-in or opt-out." He asked the FTC to conduct an investigation to see "if this 2012 experiment violated Section 5 of the FTC Act or the 2011 consent agreement with Facebook," two issues raised in EPIC's earlier complaint. "The company purposefully messed with people's minds," wrote EPIC in a complaint to the Commission. EPIC charged that Facebook violated a consent decree that required the company to respect user privacy and also engaged in a deceptive trade practice. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 17, 2014)
  • EPIC Challenges Facebook's Manipulation of Users, Files FTC Complaint: EPIC has filed a formal complaint to the Federal Trade Commission concerning Facebook's manipulation of users' News Feeds for psychological research. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has charged that the study violates a privacy consent order and is a deceptive trade practice. In 2012, Facebook subjected 700,000 users to an "emotional" test with the manipulation of News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In the complaint, EPIC explained that Facebook's misuse of data is a deceptive practice subject to FTC enforcement. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy. The consent decree resulted from complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 3, 2014)
  • EPIC Urges FTC to Protect Snapchat Users' Privacy: EPIC has submitted comments to the Federal Trade Commission, urging the agency to require Snapchat to safeguard consumer privacy. Following a 2013 EPIC complaint, the FTC signed a consent order with Snapchat, the publisher of a mobile app that encourages users to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever," but that was false. As EPIC explained, "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." EPIC expressed support for the findings in the proposed FTC Settlement with Snapchat. But EPIC recommended that the FTC require Snapchat to implement the Consumer Privacy Bill of Rights and make Snapchat's independent privacy assessments publicly available. EPIC pursued similar claims involving false promises about data deletion with AskEraser. EPIC has also made similar recommendation for other proposed FTC consumer privacy settlements. For more information, see EPIC: In re Google, EPIC: In re Facebook, and EPIC: FTC. (Jun. 10, 2014)
  • Federal Trade Commission Urges Court to Protect Student Privacy: The Federal Trade Commission is opposing the sale of student data in a bankruptcy proceeding for ConnectEDU. The company privacy policy promises it will give students "reasonable notice and an opportunity to remove personally identifiable information" from its website. The FTC said that the sale of student information "without reasonable notice to users and an opportunity to remove personal information would contradict the privacy statements originally made to users." The FTC letter also cites consent agreements with Snapchat, Google, and Facebook. Each of these consent orders was a result of an EPIC FTC complaint. Last year, EPIC filed an extensive complaint concerning's business practices. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. For more information, see EPIC: Student Privacy, EPIC: In re Google Buzz, EPIC: In re Facebook, and EPIC: Federal Trade Commission. (May. 29, 2014)
  • EU Court Rules Google Must Respect Right to Delete Links: The European Court of Justice has upheld the "right to be forgotten" and ruled that Google must delete links upon request concerning private life. The Court also determined that companies are subject to the EU Data Protection Directive and that jurisdiction extends to companies that set up a branch in an EU state. The Court said that since privacy is a fundamental right, it overrules the economic interests of the company and the public interest in access to the information. However this is not the case concerning one's activity in public life. EPIC has broadly supported the privacy rights of Internet users and the specific right to "expunge" information held by commercial firms. For more information, see EPIC - In re Facebook, EPIC - Expungement, and EPIC - G.D. v. Kenny. (May. 13, 2014)

Summary of EPIC's Facebook Complaint

On May 7, 2010, EPIC and fourteen other organizations filed a complaint with the Federal Trade Commission, alleging that Facebook has engaged in unfair and deceptive trade practices. The complaint addresses Facebook's latest round of changes, including linking profile information, abolishing the 24 hour data retention limit for developers, instituting social plugins and "Instant Personalization," and the use of cookies by Facebook to track users' internet activity.

In the complaint, EPIC asks the FTC to open an investigation into Facebook, to compel Facebook to allow users to choose whether to link and publicly disclose personal information, to compel Facebook to restore its previous requirement that developers retain user information for no more than 24 hours, and to compel Facebook to make its data collection practices clearer and more comprehensible. The following organizations signed onto the complaint:

  • The Electronic Privacy Information Center
  • The Bill of Rights Defense Committee
  • The Center for Digital Democracy
  • The Center for Financial Privacy and Human Rights
  • Center for Media and Democracy
  • Consumer Federation of America
  • Consumer Task Force for Automotive Issues
  • Consumer Watchdog
  • FoolProof Financial Education
  • Patient Privacy Rights
  • Privacy Activism
  • Privacy Journal
  • The Privacy Rights Clearinghouse
  • The U.S. Bill of Rights Foundation
  • U.S. PIRG



Facebook is a social networking site founded in 2004 by Harvard student Mark Zuckerberg. The site “connects people with friends and others who work, study and live around them.” As of December 2009, Facebook has nearly 150 million users in the United States.

Facebook and Privacy

Facebook has had a controversial history with respect to privacy. In 2006, Facebook launched a feature called “News Feed” which allowed users to track their friends’ Facebook updates and activity in real time. Within 24 hours, hundreds of thousands of the site’s users protested the feature. One Facebook group, “Students against Facebook News Feed” grew to 284,000 members within just a few days. As a result of the widespread protest, Mark Zuckerberg wrote an open letter to Facebook users, apologizing for doing a “bad job of explaining what the new features were and an even worse job of giving you control of them." Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.

In 2007, Facebook launched Facebook Beacon, which allowed a Facebook user’s purchases to be publicized on their friends’ News Feed after transacting with third-party sites. Users were unaware that such features were being tracked, and the privacy settings originally did not allow users to opt out. As a result of widespread criticism, Facebook Beacon was shut down in 2009.

In February 2009, Facebook changed its Terms of Service. The new TOS allowed Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC planned to file an FTC complaint, alleging that the new Terms of Service violated the FTC Act Section 5, and constituted “unfair and deceptive trade practices.” In response to this planned complaint, and user criticism, Facebook returned to its previous Terms of Service.

EPIC's Previous Facebook Complaint

In late 2009, Facebook rolled out another round of changes which required mandatory disclosure of profile information that had previously been protected by users' privacy settings. The site automatically made some user information, including users' names, profile pictures, friends lists, fan pages, gender, and networks, available to the public, including to third-party developers, without offering users a choice to opt-out. The new Facebook privacy policy stated that “certain categories of information . . . are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings.” Consequently, users could no longer control who views certain types of information and could not prevent third-party applications from viewing certain types of information. EPIC, along with several other organizations, filed a complaint and supplemental complaint, with the FTC, citing "unfair and deceptive trade practices," and urging the agency to investigate.

EPIC filed a supplemental complaint regarding several Facebook services, including Facebook Connect and iPhone syncing. EPIC alleged that Facebook's representations regarding Facebook Connect and iPhone syncing were unfair and deceptive because users who employ the services are not informed beforehand that they will no longer have control over their information.

To date, the FTC has failed to take any action regarding these complaints.

EPIC's FTC Complaint

EPIC’s FTC complaint is signed by a number of other organizations, including the Bill of Rights Defense Committee, the Center for Digital Democracy, the Center for Financial Privacy and Human Rights, the Center for Media and Democracy, the Consumer Federation of America, the Consumer Task Force for Automotive Issues, Consumer Watchdog, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, Privacy Journal, the Privacy Rights Clearinghouse, the U.S. Bill of Rights Foundation, and U.S. PIRG.

The complaint highlights several aspects of Facebook’s most recent changes that threaten its users’ privacy. The complaint focuses on Facebook's unfair and deceptive trade practice of sharing of user information with the public and with third-party application developers. First, the complaint argues that Facebooks decision to force users to make previously protected information "publicly available" is an unfair practice. Second, the complaint argues that Facebook’s new social plugins and instant personalization are misleading and deceptive. Third, Facebook deceives users by not clearly informing them about cookies which Facebook uses to track users' internet activity. Fourth, Facebook's decision to allow developers to maintain user information indefinitely contradicts its previous policies and assurances to users.

Facebook now requires mandatory disclosure of even more information, including users' music, film, television, and literature preferences, employment information, educational information, current city, hometown, activities, interests, and likes and dislikes. Facebook forced users to convert information that had previously been protected under privacy settings into "links," which are "publicly available" information. Users were not given a choice to opt-out of this process. Users could either convert profile information into "links" or Facebook would remove the information from that user's profile. These changes contradict earlier assurances made by the company that users would be empowered to protect their information because, as Facebook stated, "you may not want everyone in the world to have the information you share on Facebook.”

The changes also contradict users' reasonable expectation about their privacy. Facebook allows users to adjust their privacy settings, but these adjustments have no practical effect on the public availability of information such as pages, links, employment information, and film and music preferences. Even if a user adjusts her settings so this information is limited to "friends only," the information may not be visible on the user's profile, but it is still publicly available elsewhere.

EPIC's complaint also alleges that Facebook's social plugin program is unfair and deceptive. Facebook has also developed a social plugin program that encourages users to interact with websites across the internet. “Social plugins” are buttons or boxes that appear on third party websites that prompt a Facebook user to click on or comment on items of interest. For example, is a user chooses to "Like" a news article by clicking on a "Like" button, this action is displayed on the third party website, disclosed to the user's friends and appears on the user's Facebook profile. This interaction results in user information being shared with those websites and the user's interaction being published to her friends on her "news feed." This sharing of information is not apparent to users, though, because all that users see when they navigate to a social plugin site is a small "like" or "recommend" button. There is nothing about the button which indicates the vast underlying exchange of information that occurs when a user clicks on it.

Facebook's new Instant Personalization feature is also problematic. Instant personalization allows three partner websites - Microsoft Docs, Pandora, and Yelp - to use cookies and users' "publicly available" information to serve Facebook users a tailored "experience." Pandora, for example, uses information in a user's profile to serve him music based on his stated music preferences and his friends' music preferences. Facebook disclosed user information to these three partner sites without users ever granting their permission.

Facebook has also changed its developer data retention rule in a way that profoundly affects users, without ever gaining users' consent. Previously, Facebook had limited developers data retention by mandating that developers delete user information after 24 hours. That rule was abolished to allow developers to maintain user information indefinitely.

Facebook has also failed to be transparent regarding its use of cookies. Facebook uses cookies to track users across the internet, destroying their ability to surf the internet anonymously. EPICs complaint argues that the use of cookies is not obvious to Facebook users or controllable under the privacy settings.

These changes together amount to a massive disclosure of user information that had previously been protected under users' privacy settings. This information has now been disclosed to third parties and can be retained indefinitely.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

Legal Documents

News Stories and Blog Items

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.


EPIC Bookstore

Robot Law

Robot Law
by Ryan Calo, A. Michael Froomkin,
Ian Kerr