Critics might call it a slap on the wrist. Facebook has settled federal charges that it deceived consumers by divulging their private information by promising not to do it again.
In a proposed settlement with the Federal Trade Commission, Facebook promised that from now on, it will give consumers clear and prominent notice and obtain consumers' express consent before their information is shared beyond the privacy settings they have established.
"I'm the first to admit that we've made a bunch of mistakes," said Facebook founder and CEO Mark Zuckerberg in a post on the company's blog. "In particular, I think that a small number of high profile mistakes ... and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done."
Facebook, which is planning an IPO likely to exceed $10 billion next year, did not pay a fine or penalty of any kind and consumers whose privacy rights were violated will not receive any form of compensation.
"Anyone who has the privilege of collecting this type of sensitive information should live by these fair rules of the road," said Sen. John Kerry (D-Mass.), who has been pushing legislation to tighten privacy restrictions. "This settlement will help ensure that companies keep their promises to consumers and give those consumers a real voice in how their information is used, distributed, and managed."
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said Jon Leibowitz, chairman of the FTC. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."
The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
While admitting past errors, Zuckerberg insists that Facebook now puts great emphasis on ensuring users' privacy.
"Facebook has always been committed to being transparent about the information you have stored with us – and we have led the internet in building tools to give people the ability to see and control what they share," he said.
In his blog post, Zuckergerg listed what he said were "new tools and resources" to empower users to guard their privacy, including:
- An easier way to select your audience when making a new post
- Inline privacy controls on all your existing posts
- The ability to review tags made by others before they appear on your profile
- Friend lists that are easier to create and that maintain themselves automatically
- A new groups product for sharing with smaller sets of people
- A tool to view your profile as someone else would see it
- Tools to ensure your information stays secure like double login approval
- Mobile versions of your privacy controls
- An easy way to download all your Facebook data
- A new apps dashboard to control what your apps can access
- A new app permission dialog that gives you clear control over what an app can do anytime you add one
- Many more privacy education resources
The proposed settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
Facebook's privacy practices were the subject of complaints filed with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups.