Facebook has announced its long-rumored privacy settlement with Facebook. The complaint focuses on several allegedly deceptive acts by Facebook, as listed in the press release:
- In December 2009, Facebook changed its website so certain information that users may have designated as private — such as their Friends List — was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences — for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.-EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
The proposed settlement would impose various privacy obligations on Facebook, including the quickly-becoming-standard 20 years of privacy audits.
Edited to add: Mark Zuckerberg’s statement.
Edit 2: My colleague Joe Hall points out Count 3 of the FTC’s complaint:
As described in Paragraphs 19–26, by designating certain user profile information publicly available that previously had been subject to privacy settings, Facebook materially changed its promises that users could keep such information private. Facebook retroactively applied these changes to personal information that it had previously collected from users, without their informed consent, in a manner that has caused or has been likely to cause substantial injury to consumers, was not outweighed by countervailing benefits to consumers or to competition, and was not reasonably avoidable by consumers. This practice constitutes an unfair act or practice.
This continues a recent trend of the FTC asserting its authority over “unfair” trade practices, even when they’re not “deceptive.” This also came up in the FTC’s settlement with Frostwire over unfair default settings, which prompted the FTC to warn companies to “spend some time thinking through [their] default settings” and consider questions like “Do your defaults keep users safe from making serious inadvertent errors?” and “Does your application work in ways consumers would reasonably expect?”