Facebook has agreed to settle FTC claims that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing the information to be shared publicly. The settlement shows the FTC's intentions to enforce its privacy mandate in the social media world.
The FTC charges stemmed from changes Facebook made to its privacy settings in December 2009 to make aspects of users' profiles public by default, despite the fact that users had deliberately programmed their privacy settings to confine that information to a specific group of friends or family.
The proposed FTC settlement bars Facebook from making any further deceptive privacy claims, requires that it get consumers' express consent before it changes the way it shares their data, requires that it prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account; requires that it establish and maintain a comprehensive privacy program; and requires that it undergo a third-party privacy audit every two years for the next 20 years.
The FTC vote to accept the Facebook settlement agreement was 4-0. The FTC will publish a description of the agreement in the Federal Register and it will be subject to public comment through December 30, 2011, after which time the FTC will decide whether to make the proposed consent order final.
Google Inc. agreed to a similar deal with outside audits every other year for the next 20 years after an investigation into Google's handing of personal information in its launch of its Buzz service. Twitter Inc. also agreed to outside audits every other year for 10 years after it was charged with "serious lapses" in its data-security practices after hackers broke into accounts, including one belonging to President Barack Obama.
Take away: The government is pushing to hold companies more accountable for the personal data they collect, store and trade. Companies need to be vigilant about implementing comprehensive privacy programs that are tailored to their individual needs. In addition, once a company makes a material change in its policies, it needs to consider whether the consumer's affirmative consent will be required.