Facebook has agreed to settle U.S. Federal Trade Commission charges that it deceived consumers “on numerous occasions” by telling them they could keep their personal information private, then repeatedly sharing that information, the agency said Tuesday.
The FTC found a “number of instances” when Facebook made privacy promises it did not keep, the agency said in a press release. The FTC charged Facebook with unfair and deceptive business practices in an eight-count complaint made public Tuesday.
“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, the FTC’s chairman. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”
Under the proposed settlement, Facebook is barred from making further deceptive claims about privacy, and it is required that the company get consumers’ approval before it changes the way it shares their data. The proposed settlement also requires Facebook to obtain periodic assessments of its privacy practices by independent auditors over the next 20 years, the FTC said.
The settlement has no fines, because the FTC does not have fining authority for violations of the FTC Act, Leibowitz said. Facebook would be subject to fines of US$16,000 per violation per day, however, for violating the settlement, he said.
The settlement will require Facebook to implement a comprehensive privacy program, Leibowitz said. The Facebook settlement is similar to one the FTC reached with Google in March over the rollout of its Buzz social networking product.
Facebook founder Mark Zuckerberg said the company has made “a bunch of mistakes” when dealing with users’ privacy. “In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done,” he said in a blog post.
Beacon was a program designed by Facebook to share information about Facebook users’ Internet activities with friends. Facebook, overall, has a “good history of providing transparency and control over who can see your information,” Zuckerberg added.
Facebook has addressed many of the concerns the FTC raised, he said. The FTC complaint made reference to Facebook’s Verified Apps Program, which the social networking service canceled in December 2009, he said. The complaint also refers to cases where advertisers inadvertently received the ID numbers of some users in referrer URLs, a problem Facebook fixed in May 2010, he said.
Zukerberg on Tuesday announced two new corporate officers, a chief privacy officer for policy and a chief privacy officer for products.
The FTC listed several cases in which it charged Facebook with unfair privacy practices. In December 2009, Facebook changed its website so certain information that users may have designated as private — such as their friends list — was made public. They didn’t warn users that this change was coming, or get their approval in advance, the FTC said.
Facebook also said third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data, including data the apps didn’t need, the agency said.
Facebook told users it could restrict sharing of data to limited audiences — for example with “friends only.” But selecting “friends only” did not prevent customers’ information from being shared with third-party applications their friends used, the FTC said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant’s e-mail address is grant_gross@idg.com.