The Facebook FTC privacy settlement, and what it means for the users.

Facebook fought the law but the law won. Over a year ago, the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission (FTC) about Facebook violating its users’ privacy. The FTC cited seven major complaints about Facebook’s privacy failures, which included:

  • Friend Lists and other data became public when Facebook implemented a new privacy model in December 2009, but users were not notified.
  • Facebook said apps would only be able to access the user data they needed to operate, and yet apps can request access to just about every piece of user data, needed or not.
  • Despite users selecting the “Friends Only” privacy setting, third-party apps used by friends were still allowed to access users’ data.
  • The security of apps was never actually verified by the “Verified Apps” program.
  • Personal data was accidentally shared with Facebook advertisers due to a security bug.
  • Facebook promised that deleted and deactivated accounts wouldn’t be accessible and yet, content from these past users was still available for viewing.
  • European user data that was transferred violated the US-EU Safe Harbor Framework.

Admittedly, the social networking giant addressed some of these issues when the complaint was initially filed. For example, the “Verified Apps” program was shut down and the security bug that allowed advertisers to see user data has been fixed. However, the other five complaints were left unaddressed and Facebook has denied the allegations brought against them of breaking any laws. Despite the lack of acknowledgement from Facebook, and the time it’s taken for the FTC to act, Facebook has proposed a settlement.

The conditions of the settlement keep Facebook toeing the line for years to come. The biggest victories from the agreement require Facebook to hire third party auditors every two years for the next twenty years to review Facebook’s security practices and policies. Also, Facebook is required to make all future privacy changes opt in, meaning users will have the choice to accept the privacy changes the social networking site wants to implement, or retain their previous privacy settings.

On this point, EPIC’s aim wasn’t completely met. In their original complaint, EPIC had urged the FTC to require Facebook to return to its pre-2009 privacy policy. EPIC believes that Facebook’s 2009 privacy changes were confusing and misleading for users, resulting in some sharing personal information with the entire Internet unbeknownst to users. Although the FTC can’t fine a company for FTC act infringements, it can fine a company for not complying with terms of a settlement. If Facebook doesn’t shape up, the company will face a fine of 16,000 USD per violation, per day.

Specifically, the settlement specifies that:

  • Facebook will not be allowed to misrepresent the safety of its users’ data.
  • Users must be allowed to opt in to privacy changes.
  • No one will be able to access content of a user’s profile thirty days after the user’s account has been deleted or deactivated.
  • Facebook must have a privacy policy using best practices.
  • Independent auditors will review Facebook’s privacy policy every two years for the next twenty years.

Although these specifics might seem tedious or obvious, the general language from the FTC will hold Facebook to making sure user data is private for a long time.

In another attempt to appease the FTC, Facebook created two new roles at the head of the company: chief privacy officer of policy and chief privacy officer of products. Michael Richter, filling the CPO-Products role, was previously on Facebook’s legal counsel team. One of his largest roles in his new position will be as a member of Facebook’s internal privacy review program. Before the minor reorganization, Erin Egan was Facebook’s Director of Privacy. Hopefully as Facebook developers move forward in the future, these requirements will keep users’ privacy in the forefront of their minds.