Focusing public attention on emerging privacy and civil liberties issues

FTC Facebook Settlement

In Response to EPIC's December 2009 FTC Complaint

Background

EPIC's FTC Complaint

On December 17, 2009, EPIC filed an FTC Complaint along with a group of public interest organizations, including the American Library Association, the Center for Digital Democracy, the Consumer Federation of America, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, the Privacy Rights Now Coaltion, the Privacy Rights Clearinghouse, and the U.S. Bill of Rights Foundation. The complaint highlighted changes in Facebook's policies and practices that threatened user privacy. First, the complaint argued that Facebook’s mandatory disclosure of information was an unfair practice. Second, the complaint argued that Facebook’s policies regarding third-party developers were misleading and deceptive. On November 29th, 2011, the FTC finalized a formal complaint against Facebook along with a proposed consent order.

The FTC's Complaint and Consent Decree with Facebook

The FTC released its formal complaint and proposed consent order with Facebook on November 29, 2011. The Complaint outlines the Commissions findings that Facebook made promises it did not keep when:

  • In December 2009, Facebook changed its website so certain information that users may have designated as private - such as their Friends List - was made public. It didn't warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps its users installed would only have access to the user information needed to operate. In fact, the apps could access nearly all of a user’s personal data - data the apps didn't need.
  • Facebook told users they could restrict sharing of data to limited audiences - for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
  • Facebook had a "Verified Apps" program and claimed it certified the security of participating apps. It did not.
  • Facebook promised users that it would not share their personal information with advertisers. It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But, Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed it complied with the Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It did not. The settlement requires Facebook to improve user privacy. Among the requirements:
  • The order prohibits Facebook from misrepresenting its privacy and security practices, as well as its compliance with any privacy program;
  • The order requires Facebook to give its users a clear and prominent notice and obtain their affirmative express consent before sharing their information;
  • The order requires Facebook to remove user information within thirty days after a user deletes an account;
  • The order requires Facebook to establish a comprehensive privacy program; and
The order requires Facebook to have an independent privacy audit every two years. According to the FTC, the order will remain in effect for 20 years.

The Public Comment Process

As the FTC describes in its aid to public comment, the proposed consent order has been placed on the public record and is open for public comment for 30 days. After 30 days, the Commission will review the agreement and comments, then it will make any necessary modifications and finalize the order. Any individuals interested in submitting public comments can find the comment form here.

EPIC's Petition and Proposed Settlement Comments

Although the settlement is far-reaching and comprehensive, EPIC said it should be improved. EPIC’s campaign to the FTC is focused on five key points:

  • Restore Original Settings: The FTC order should Facebook to restore the privacy defaults users had in 2009 before Facebook changed the setting
  • Know What They Know: The FTC order should require Facebook to let users access all of the data that Facebook keeps about them.
  • Facial Recognition: The FTC order should prevent Facebook from using facial recognition profiles without users’ consent.
  • Transparency: The FTC order should require that the Facebook’s privacy report is available to the public.
  • Secret Tracking: The FTC order should prevent Facebook from secretly tracking users across the web.
“We launched this campaign so that the Federal Trade Commission will take the opportunity to the fix the problems that were not addressed in the original proposal,” said David Jacobs, EPIC Consumer Protection Fellow. “And our app will make it easier for Facebook users to express their views.”

Legal Documents

Resources

News Reports

Print Media

Blogs