Privacy and technology groups generally applauded a wide-ranging settlement between Facebook and the U.S. Federal Trade Commission over the social-networking site's privacy practices.
The FTC alleged that Facebook repeatedly deceived users by saying their data was private when it wasn't.
The settlement, announced Tuesday, seems "very fair" on balance, said Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), a privacy group that spearheaded a complaint filed against Facebook at the FTC nearly two years ago.
Rotenberg, however, called on the FTC to require Facebook to roll back changes in its data sharing practices made in December 2009. Facebook changed "its users' privacy settings without their consent," making some private information public, he said.
The settlement doesn't appear to require Facebook to restore those privacy settings, Rotenberg said. "The practical consequence is that the company will be able to continue to use and market and disclose information from users that we believe was improperly obtained," he said.
The settlement should give Facebook users greater control of their information going forward, Rotenberg said, but the U.S. has no comprehensive privacy law. That means other online companies are not subject to this settlement, he said.
The settlement requires Facebook to create a comprehensive privacy program and to open itself up to independent audits of its privacy practices every other year for 20 years. The agreement bars the company from making misrepresentations about the privacy or security of consumers' personal information, and it requires Facebook to obtain consumers' consent before making changes that override privacy preferences.
The settlement also requires Facebook to prevent anyone from accessing a user's information no more than 30 days after users have deleted their accounts.
The FTC's settlement is as strong as the agency could achieve, said Jeffrey Chester, executive director of the Center for Digital Democracy, another privacy group. Facebook continues to be "in the middle of an expansive data collection system," Chester said. "Since 2007, the social media giant has purposefully worked to erode the concept of privacy by disingenuously claiming users want to share all their personal information."
The settlement could allow privacy and consumer groups to force Facebook to develop better privacy practices, but those groups will have to be vigilant, Chester said.
"I believe Facebook will try and continue the largely invisible to users tactics that harvest and distribute tremendous amounts of information about users and their networks," he said. "Privacy groups will have to work overtime to try and keep the FTC zeroed in on Facebook's future practices. The social giant clearly wanted to get past this so it could cash out via an IPO."
There have been press reports this week that Facebook is considering an IPO.
The FTC does not have authority to fine Facebook for unfair and deceptive business practices, officials at the agency said. But Rotenberg and John Simpson, consumer advocate at Consumer Watchdog, said fines should be available in cases like this.
"This is an important step forward by the FTC in guaranteeing consumers' privacy," Simpson said. "The provision for privacy audits of Facebook over the next 20 years is a significant and important safeguard. Nonetheless, give the litany of Facebook's wanton failure to respect its users' privacy and its flagrant misrepresentation of its practices, there should have been substantial financial penalties."
The American Civil Liberties Union praised the settlement but called for a comprehensive privacy law in the U.S.
E-commerce trade group NetChoice gave the FTC and Facebook a "polite golf clap" for the agreement. A mutual agreement between a company and the FTC is preferable to new privacy legislation, the group said in a blog post.
"But there's a risk with agreements that are driven more by media melodrama than consumer concern: It can force formerly innovative companies to ask regulators for a permission slip before rolling out new features and free services," NetChoice said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is firstname.lastname@example.org.