Facebook, FTC Reach Settlement Over Alleged Privacy Violations

Facebook Settles With The FTC, Admits To Privacy 'Mistakes'

This post has been updated.

On Tuesday, Facebook reached a settlement agreement with the Federal Trade Commission regarding the social network's policy on changing privacy controls and informing users of those changes.

Under the terms of the settlement Facebook must obtain approval from users before making changes to the way their personal data is shared on the network. For the next 20 years, Facebook must also submit to scheduled checkups by "independent, third-party auditors" to ensure that the company's privacy policies and practices do not violate users' rights.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said FTC Chairman Jon Leibowitz, according to a release published by the agency. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."

Facebook Co-founder and CEO Mark Zuckerberg also published a lengthy post on the Facebook Blog regarding the social network's future privacy efforts and its settlement with the FTC.

"I'm the first to admit that we've made a bunch of mistakes," Zuckerberg wrote.

These announcements confirm rumors earlier this month that Facebook and the FTC were reaching an agreement over the site's controversial policies regarding the protection of users' data.

The FTC's release lists seven complaints against Facebook's allegedly deceptive privacy practices, specifically that it told users some of their personal information would be kept private, but that the site later allowed that information to become accessible.

The agency's complete list of allegations are as follows:

  • In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
  • Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
  • Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
  • Facebook promised users that it would not share their personal information with advertisers. It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.

Under the proposed agreement, Facebook must adopt a policy of allowing users to opt-in whenever changes are made to the site's privacy policy and sharing options. If a user deletes his or her account, Facebook must block other users from accessing data from the deleted account after 30 days.

For the next 20 years, Facebook's privacy policy will be assessed every two years to ensure that the company has made its privacy policies clear to its users and that it hasn't violated the terms of its agreement with the FTC.

Mark Zuckerberg wrote in his blog post that Facebook had recently taken many steps recently to give users more control over what they share on the network. However, he admitted that the company could do more to guarantee data security to its users.

Zuckerberg also wrote that the company has added two new Chief Privacy Officer positions. Erin Egan will become Facebook's executive in charge of policy, and Michael Richter will oversee products.

According to AllThingsD, "Facebook’s punishment is in line with what its competitors Twitter and Google have already agreed to: Clearer privacy policies that are audited every two years for the next 20 years."

Take a look at a roundup of reactions to the announcement that Facebook would cooperate with the FTC regarding users' privacy.

Popular in the Community