The FTC’s settlement with Facebook: Where Facebook went wrong

Share This Page

When it comes to privacy promises, what you say you do with people’s personal information has to line up with your day-to-day practices. That’s the message of the FTC’s proposed settlement announced today with Facebook.

Where did the company go wrong? The FTC’s 8-count complaint alleges a number of different violations, but they boil down to this: Facebook’s privacy practices often flew in the face of its stated policies and, as one count alleges, the company made material retroactive changes to its privacy practices without getting users’ consent.

Here’s a count-by-count walk through the complaint:

Count #1 — Facebook’s privacy settings. The FTC charged that Facebook promised that users could restrict their information to a limited audience, using certain privacy settings. But the truth, says the FTC, is that even when a user went to Facebook’s Central Privacy Page, clicked a link to “Control who can see your profile and personal information,” and limited access to certain people — for example, “Only Friends” — the user’s choice was ineffective when it came to third-party apps that users’ friends used. What kind of information did the apps have access to? Things like a user’s birthday, hometown, interests, marital status, status updates, schools attended, where they worked, photos, and videos.

Count #2 — Privacy changes (material omission). Additional counts related to privacy changes Facebook made in December 2009. According to the FTC, Facebook claimed the changes gave users “more control” over their information and allowed them to preserve their “old settings” to protect the privacy of their profile information. But what really happened? Certain information that users had designated as private — like their Friend List — was made public under the new policy. The FTC charged that when Facebook implemented the December 2009 changes, the company overrode users’ existing privacy settings without adequately disclosing what it was up to.

Count #3 — Privacy changes (unfair practices). Furthermore, according to the FTC, by now designating certain user profile info as public when it had previously been subject to more restrictive privacy settings, Facebook overrode users’ existing privacy choices. In doing that, the company materially changed the privacy of users’ information and retroactively applied these changes to information it previously collected. The FTC said that doing that without users’ informed consent was an unfair practice, in violation of the FTC Act.

Count #4 — What info apps had access to. Apps’ access to app users’ information also raised concerns with the FTC. According to the complaint, for a significant period of time after Facebook started featuring apps onto its site, it deceived people about how much of their information was shared with apps they used. Facebook said that when people authorized an app, the app would only have information about the users “that it requires to work.” Not accurate, says the FTC. According to the complaint, apps could access pretty much all of the user’s information — even info unrelated to the operation of the app. For example, an app with a TV quiz could access a user’s relationship status, as well as the URL for every photo and video the user had uploaded — information that went well beyond what the app “requires to work.”

Count #5 — What info Facebook shared with advertisers. Facebook also told users it wouldn’t share their personal information with advertisers. In Facebook’s Statement of Rights and Responsibilities, the company said, “We don’t share your information with advertisers unless you tell us to ([e.g.,] to get a sample, hear more, or enter a contest). Any assertion to the contrary is false. Period . . . we never provide the advertiser any names or other information about the people who are shown, or even who click on, the ads.” In fact, says the FTC, from at least September 2008 until May 2010, Facebook ran its site so that in many instances, the User ID of a person who clicked on an ad was shared with the advertiser. So much for “never.”

Count #6 — Facebook’s “Verified App” program. The FTC also challenged the operation of Facebook’s Verified App program. Facebook told people that the program involved a “detailed review process” and was “designed to offer extra assurances to help users identify applications they can trust — applications that are secure, respectful and transparent, and have demonstrated commitment to compliance with Platform policies.” About 250 apps paid between $175 and $375 for the seal. But according to the FTC, Facebook took no steps to verify either the security of a Verified App’s website or the security the app provided for the information it collected, beyond the steps Facebook took for any other app.

Count #7 — Photo and video deletion. The FTC charged Facebook with making deceptive claims about its photo and video deletion policy. Each of the photos and videos a user uploads onto Facebook has a Content URL — a URL for its location on Facebook’s servers. Facebook told users, “If you want to stop using your account, you may deactivate it or delete it. When you deactivate an account, no user will be able to see it, but it will not be deleted . . . When you delete an account, it is permanently deleted from Facebook.” But even after users followed Facebook’s procedure for deactivating or deleting an account, Facebook still served up these photos and videos to anyone who accessed them via the Content URL. That, said the FTC, made Facebook’s statements deceptive.

Count #8 — US-EU Safe Harbor program. The FTC challenged what it said were deceptive statements Facebook made about its compliance with the US-EU Safe Harbor Framework, a mechanism by which US companies may transfer data from the European Union to the United States consistent with European law.

Next: The Facebook order and practical tips companies of any size can take from the Facebook case


what about Facebook locking and/or disabling your account when it show your real name?

I would like to say that i noticed facebook said that the 20million would go to pay claim members and if any left over would not go back to facebook,but would go to groups (facebook) that would teach safety online tips to our youth.Well who is going to conduct those groups? FACEBOOK!! So in fact money WOULD return to facebook.

There's almost no value, other than questionable public spectacle "Theater of the Absurd", in Mark Zuckerberg appearing before Congress to explain the Cambridge Analytics data breach.

If Congress wants answers to explain why CA was allowed to do what it did, and what failed in protecting the personally identifiable information of 50 million U.S. citizens, then Federal Trade Commission Chairman, Ajit Pai, should be called to testify and describe how the FTC enforced and monitored the provisions of its' 2011 privacy settlement with Facebook.

Specifically, Mr. Pai should tell Congress how, under the 2011 settlement, Facebook ensured is:

• barred from making misrepresentations about the privacy or security of consumers' personal information;

• required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;

• required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;

• required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and

• required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

• The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.