FTC Facebook Settlement

In Response to EPIC's December 2009 FTC Complaint

• Background |
• Legal Documents |
• FOIA Documents |
• Resources |
• News Reports |
• In re Facebook

Background

EPIC's FTC Complaint

On December 17, 2009, EPIC filed an FTC Complaint along with a group of public interest organizations, including the American Library Association, the Center for Digital Democracy, the Consumer Federation of America, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, the Privacy Rights Now Coaltion, the Privacy Rights Clearinghouse, and the U.S. Bill of Rights Foundation. The complaint highlighted changes in Facebook's policies and practices that threatened user privacy. First, the complaint argued that Facebook’s mandatory disclosure of information was an unfair practice. Second, the complaint argued that Facebook’s policies regarding third-party developers were misleading and deceptive. On November 29th, 2011, the FTC finalized a formal complaint against Facebook along with a proposed consent order.

The FTC's Complaint and Consent Decree with Facebook

The FTC released its formal complaint and proposed consent order with Facebook on November 29, 2011. The Complaint outlines the Commissions findings that Facebook made promises it did not keep when:

• In December 2009, Facebook changed its website so certain information that users may have designated as private - such as their Friends List - was made public. It didn't warn users that this change was coming, or get their approval in advance.
• Facebook represented that third-party apps its users installed would only have access to the user information needed to operate. In fact, the apps could access nearly all of a user’s personal data - data the apps didn't need.
• Facebook told users they could restrict sharing of data to limited audiences - for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
• Facebook had a "Verified Apps" program and claimed it certified the security of participating apps. It did not.
• Facebook promised users that it would not share their personal information with advertisers. It did.
• Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But, Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
• Facebook claimed it complied with the Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It did not. The settlement requires Facebook to improve user privacy. Among the requirements:
• The order prohibits Facebook from misrepresenting its privacy and security practices, as well as its compliance with any privacy program;
• The order requires Facebook to give its users a clear and prominent notice and obtain their affirmative express consent before sharing their information;
• The order requires Facebook to remove user information within thirty days after a user deletes an account;
• The order requires Facebook to establish a comprehensive privacy program; and

The order requires Facebook to have an independent privacy audit every two years. According to the FTC, the order will remain in effect for 20 years.

The Public Comment Process

As the FTC describes in its aid to public comment, the proposed consent order has been placed on the public record and is open for public comment for 30 days. After 30 days, the Commission will review the agreement and comments, then it will make any necessary modifications and finalize the order. Any individuals interested in submitting public comments can find the comment form here.

EPIC's Petition and Proposed Settlement Comments

Although the settlement is far-reaching and comprehensive, EPIC said it should be improved. EPIC’s campaign to the FTC is focused on five key points:

• Restore Original Settings: The FTC order should Facebook to restore the privacy defaults users had in 2009 before Facebook changed the setting
• Know What They Know: The FTC order should require Facebook to let users access all of the data that Facebook keeps about them.
• Facial Recognition: The FTC order should prevent Facebook from using facial recognition profiles without users’ consent.
• Transparency: The FTC order should require that the Facebook’s privacy report is available to the public.
• Secret Tracking: The FTC order should prevent Facebook from secretly tracking users across the web.

“We launched this campaign so that the Federal Trade Commission will take the opportunity to the fix the problems that were not addressed in the original proposal,” said David Jacobs, EPIC Consumer Protection Fellow. “And our app will make it easier for Facebook users to express their views.”

Legal Documents

• FTC Complaint: In the Matter of Facebook, Inc.
• FTC Agreement Containing Consent Order: In the Matter of Facebook, Inc.
• EPIC's Supplemental Complaint in In re Facebook (filed January 14, 2010).
• EPIC's FTC Complaint in In re Facebook (filed December 17, 2009).

FOIA Documents

• EPIC's FOIA Request (April 26, 2013)
• FTC Production Letter (June 12, 2013)
• Facebook Initial Compliance Report (Submitted to FTC on November 13, 2012)
• Facebook Initial Independent Assessment (Submitted to FTC on April 22, 2013)

Resources

• EPIC's Fix FB Privacy Fail Campaign and Petition to the FTC.
• FTC Analysis of Proposed Consent Order to Aid Public Comment
• FTC Press Release
• Some questions and answers about Facebook and privacy in wake of the FTC settlement, Associated Press, Nov. 30, 2011.
• EPIC: In re Facebook

News Reports

Print Media

• U.S. federal gov't requires Facebook to respect users' privacy, Xiong Tong , Xinhua News, Dec. 1, 2011.
• Facebook's FTC Deal: 8 Things To Expect, Mathew J. Schwartz, InformationWeek, Nov. 30, 2011.
• FTC slaps Facebook for privacy concerns, what does it mean to you, Andy Ihnatko, Chicago Sun-Times, Nov. 30, 2011.
• Facebook settles with FTC over privacy complaints, Benny Evangelista, SFGate, Nov. 30, 2011.
• F.T.C. Settles Privacy Issue at Facebook, Somini Sengupta, The New York Times, Nov. 29, 2011
• Facebook Reaches Settlement With FTC On Privacy Issues, The Wall Street Journal, Nov. 29, 2011.
• Facebook and FTC reach agreement on privacy protections, Jessica Guynn, Los Angeles Times, Nov. 29, 2011.
• Facebook settles FTC privacy complaint, agrees to ask users’ permission for changes, Cecilia Kang, The Washington Post, Nov. 29, 2011.
• Facebook makes privacy pledge in FTC settlement, Michael Liedtke, Associated Press, Nov. 29, 2011.
• Facebook settles privacy case with U.S. FTC, Diane Bartz and Alexei Oreskovic, Reuters, Nov. 29, 2011.

Blogs

• FTC Settlement Aside, Facebook Still Owns Your Privacy, Helen A.S. Popkin, DigitalLife, MSNBC, Nov. 30, 2011.
• FTC’s Facebook Settlement Leaves Gaping Holes in Privacy Protection, Betsy Walters and Meg Roggensack, Human Rights First, Nov. 30, 2011.
• Did the FTC Just Ruin Facebook?
• It’s Not All Facebook’s Fault: You're as much to blame for the site's privacy woes as Mark Zuckerberg, Farhad Manjoo, Slate, Nov. 30, 2011.
• So, What Are These Privacy Audits That Google And Facebook Have To Do For The Next 20 Years?, Kashmir Hill, Forbes, Nov. 30, 2011.
• What the Facebook/FTC Settlement Means for Users, Larry Magid, Huffington Post, Nov. 30, 2011.
• Facebook slapped by FTC with privacy audits, Tony Romm, Politico, Nov. 29, 2011.
• Facebook’s Settlement With FTC Confirmed: Privacy Changes Must Be Opt In, Josh Constine, TechCrunch, Nov. 29, 2011.