Earlier today, Federal Trade Commission (“FTC”) and Facebook announced a settlement of the government’s charges that the company had deceived users regarding their ability to keep their information private. We have reposted below a blog post outlining the major elements of the settlement agreement. The post was authored by our colleague Colin Zick, co-founder of Foley Hoag’s Security & Privacy practice group, and originally posted on the firm’s Security, Privacy, and the Law blog.
One of the most interesting aspects of the settlement from a corporate social responsibility perspective is that Facebook has agreed to submit to independent audits to ensure that its privacy controls and policies are consistent with the FTC settlement. These audits are to occur every two years — over the course of the next 20 years. A similar requirement was imposed in the FTC’s settlement of its case against Google, which involved charges stemming from the company’s launch of the Buzz social network.
In incorporating independent audit requirements, these recent FTC consent orders are consistent with the best practices established over the last decade in a variety of industries. For example, the Fair Labor Association requires its apparel industry member companies to submit to independent external monitoring, while in the information and communication technology industry, member companies of the Global Network Initiative (including Google) have agreed to regular independent assessments of their policies and procedures intended to protect user privacy and freedom of expression online.
Looking ahead, it will be interesting to see whether today’s announcement may lead to other social media companies developing stronger internal and external mechanisms to ensure that their privacy policies are appropriate and effective.
* * * * * * *
Posted on November 29, 2011 by Colin J. Zick
In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public according to the FTC’s press release.
In its complaint, the FTC alleged, among other things, that Facebook users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings despite Facebook’s representations that users could impose such restrictions on their accounts.
In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:
- set forth the specific privacy controls that [Facebook] has implemented and maintained during the reporting period;
- explain how such privacy controls are appropriate to [Facebook’s] size and complexity, the nature and scope of [Facebook’s] activities, and the sensitivity of the covered information;
- explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of this order; and
- certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.
This consent order will last for an astoundingly long time: 20 years. (Query whether this agreement’s terms and length will become the standard for future FTC privacy settlements.)
Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company’s privacy officer role: Erin Egan will become Facebook’s Chief Privacy Officer, Policy, and Michael Richter, currently Facebook’s Chief Privacy Counsel,will become Facebook’s Chief Privacy Officer, Products.