Facebook Settles FTC Charges and Agrees to Independent Audits of Its Privacy Program

Posted on November 29, 2011 by Vivek Krishnamurthy

Earlier today, Federal Trade Commission ("FTC") and Facebook announced a settlement of the government's charges that the company had deceived users regarding their ability to keep their information private. We have reposted below a blog post outlining the major elements of the settlement agreement. The post was authored by our colleague Colin Zick, co-founder of Foley Hoag's Security & Privacy practice group, and originally posted on the firm's Security, Privacy, and the Law blog.

One of the most interesting aspects of the settlement from a corporate social responsibility perspective is that Facebook has agreed to submit to independent audits to ensure that its privacy controls and policies are consistent with the FTC settlement. These audits are to occur every two years -- over the course of the next 20 years. A similar requirement was imposed in the FTC's settlement of its case against Google, which involved charges stemming from the company's launch of the Buzz social network.

In incorporating independent audit requirements, these recent FTC consent orders are consistent with the best practices established over the last decade in a variety of industries. For example, the Fair Labor Association requires its apparel industry member companies to submit to independent external monitoring, while in the information and communication technology industry, member companies of the Global Network Initiative (including Google) have agreed to regular independent assessments of their policies and procedures intended to protect user privacy and freedom of expression online.

Looking ahead, it will be interesting to see whether today's announcement may lead to other social media companies developing stronger internal and external mechanisms to ensure that their privacy policies are appropriate and effective.

                                                          *     *     *     *     *    *     *

Facebook Settles FTC Charges that It Deceived Consumers, Agrees to 20 Year Consent Order

Posted on November 29, 2011 by Colin J. Zick

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public according to the FTC's press release.

In its complaint, the FTC alleged, among other things, that Facebook users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings despite Facebook's representations that users could impose such restrictions on their accounts.

In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:

  • set forth the specific privacy controls that [Facebook] has implemented and maintained during the reporting period;
  • explain how such privacy controls are appropriate to [Facebook's] size and complexity, the nature and scope of [Facebook's] activities, and the sensitivity of the covered information;
  • explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of this order; and
  • certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.

This consent order will last for an astoundingly long time: 20 years. (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.)

Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role: Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel,will become Facebook's Chief Privacy Officer, Products.

Tags: , ,

Investors Release New Guide to the California Transparency in Supply Chains Act

Posted on November 17, 2011 by Sarah A. Altschuller

In less than two months, on January 1, 2012, the California Transparency in Supply Chains Act will go into effect. Companies impacted by the legislation will be required to disclose their efforts, if any, to ensure that their direct supply chains are free from slavery and human trafficking.

As discussed in previous posts, the legislation applies to retail sellers and manufacturers doing business in California that have annual worldwide gross receipts exceeding one hundred million dollars.

Today, a group of investors released a best practices guide for companies seeking to comply with the California legislation. The guide, Effective Supply Chain Accountability: Investor Guidance on Implementation of The California Transparency in Supply Chains Act and Beyond, was released by the Interfaith Center on Corporate Responsibility, Christian Brothers Investment Services, and Calvert Investments

Beyond making the minimum disclosures required by the legislation, the guide urges companies to implement a comprehensive approach to the management of human rights risks in their supply chains. Specifically, the authors call on companies to develop a comprehensive management approach to human rights-related risks that includes the following elements:

  • A human rights policy;
  • Human rights due diligence;
  • Human rights risk assessments;
  • Verification and traceability mechanisms;
  • Training/capacity building;
  • Collaboration; and
  • Disclosure/transparency. 

This guidance is responsive to the expectations of key corporate stakeholders, including shareholders, legislators, and consumers, who are increasingly demanding that companies identify and manage the human rights impacts of their operations, including human trafficking.  As the guide states,   

[g]iven the enactment and proposal of similar laws protecting human rights, including Section 1502 of the Dodd-Frank Act and HR 2759, the Business Transparency on Trafficking & Slavery Act, it has become clear that human rights risks within business value chains are becoming more widely acknowledged. As such, it is imperative that companies take active steps to combat human trafficking within their direct operations as well as supply chains to ensure that they are not complicit in human rights abuses.

In a press release accompanying the guide, David Schilling, Program Director for Human Rights at the Interfaith Center on Corporate Responsibility, observed that

We believe that additional legislation, at both the state and the federal levels, addressing these egregious human rights violations in company supply chains is inevitable.  The California Supply Chain Act may be the first law of its kind in the nation, but it will most certainly not be the last.

We believe that stakeholder expectations regarding the corporate responsibility to respect human rights will be increasingly embedded in state, national, and international legislative and regulatory frameworks. This "convergence of expectations" is a trend reflected by the California legislation and the advice provided in the new guide is intended to assist companies in meeting both current and future compliance requirements.

Tags: , , , ,

Business Ethics Magazine: An Interview with John Ruggie

Posted on November 9, 2011 by Sarah A. Altschuller

Business Ethics magazine recently published an interview with John Ruggie, the former U.N. Special Representative on Business and Human Rights who recently joined Foley Hoag's CSR practice as a senior advisor. Michael Connor, Editor and Publisher of Business Ethics, conducted the interview.  The conversation focused on the Guiding Principles on Business and Human Rights, the business drivers for respecting human rights, and the ways in which the Principles have been adopted by both public and private stakeholders.  

Speaking about the corporate responsibility to respect human rights, Professor Ruggie observed that,

The corporate responsibility to respect human rights is a social responsibility over and above compliance with applicable laws. It is the minimum expectation society has of business conduct in relation to human rights. It means that as business goes about its business, it should not infringe on the rights of others. So manufacture your mouse traps, deliver whatever services you provide, but don’t infringe on others’ human rights in the process.

He also discussed the "business case" for respecting human rights, in particular noting some of the costs that may be associated with lawsuits and community opposition when companies fail to address human rights concerns.  In this context, he referenced recent research on the costs of conflict that was initiated under his former mandate.  Specifically with regard to mining companies, he noted that,

For a world-class mining operation, which requires about $3-5 billion capital cost to get started, there’s a cost somewhere between $20 million and $30 million a week for operational disruptions by communities. Another estimate used by the mining industry is that an asset manager is supposed to spend between 5% and 10% of his or her time on community engagement issues. We found that it can be anywhere from a one-third to 50%, and in some cases 80% of their time. So there are opportunity costs, financial costs, legal costs and reputational costs. 

Finally, speaking about the fundamental concept of human rights due diligence, which is a core element of the Guiding Principles, Professor Ruggie observed the extent to which this normative obligation has been adopted in both voluntary and legislative standards:

Human rights due diligence is now...in the requirements of the OECD (Organisation for Economic Development and Cooperation) guidelines on multinational enterprises. ..The principle has been incorporated into a new ISO (International Standards Organisation) standard, ISO 26000. The International Finance Corporation has updated the performance standards it requires of clients, which now reference the business responsibility to respect human rights. The European Commission has incorporated the same principles, including human due diligence, into a new EU strategy on corporate social responsibility. In the U.S., the Dodd-Frank Act includes a due diligence element for companies sourcing certain minerals closely tied to conflict in the Democratic Republic of Congo.

The full text of the interview is available here

Tags: , ,