Facebook Settles With the FTC — In re Facebook, Inc.

[Post by Venkat Balasubramani, with comments from Eric]

In re Facebook, Inc. (Nov. 29, 2011) (Settlement & Proposed Consent Decree [pdf]) (Mark Zuckerberg’s blog post)

The FTC announced its long-rumored settlement with Facebook. The key terms:

• Facebook is barred from making representations about the “privacy or security” of consumers’ personal information;

• Facebook must get end user approval before it enacts changes which “override” consumer preferences;

• Facebook is required to prevent anyone from accessing a “user’s material” within 30 days of a user’s deletion of his or her account;

• Facebook must enact a “comprehensive privacy program”;

• Facebook must undergo periodic privacy audits conducted by independent third parties.

Facebook is under the FTC’s jurisdiction for 20 years.


The FTC’s complaint and its explanation sheds some light on the scope of the settlement. Among other things, the complaint alleged: (1) Facebook shared informormation such as “friends lists” without warning users that it would change the default; (2) shoddy security practices around third party apps, which were permitted to access information beyond what was necessary to operate the apps; (3) Facebook shared personal information with advertisers when it said it wouldn’t; (4) Facebook continued to allow access to profiles after end users had deleted them; and (5) Facebook claimed it complied with EU Safe Harbors when it didn’t.

Given the numerous missteps (or some would say, overt disregard for user privacy) by Facebook, this was inevitable. As Eric mentions in his comments, Twitter and Google are both under similar consent decrees, and now with Facebook having agreed to a proposed settlement, the FTC has achieved de facto regulation of the biggest social networks.

The big question is what this will mean for Facebook’s advertising practices. It will undoubtedly make it harder to Facebook to permeate as a platform without clearly disclosing changes to users (the Facebook feature that alerts your friends when you are reading an article probably warrants more robust disclosure as a result of this decree), but will Facebook’s garden-variety targeting be affected in any way? I’m guessing not. (The definition of “third party” in the settlement carves out a “service provider . . . [who] uses the . . . information for and at the direction of [Facebook] and no other individual or entity and for no other purpose [and] does not disclose the . . . information, or any individually identifiable information derived from such information, except for, and at the direction of, [Facebook], for the purpose of providing services requested by a user . . . .” Query as to how this carve out affects Facebook’s advertising practices.)

The provisions about “privacy changes” seem to apply prospectively. I assume Facebook rolled back all of the objectionable changes which precipitated consumer complaints in the first place, so it’s not as if Facebook gets a free pass on its overreaches to date. Still, it’s interesting that the settlement did not specify the various changes over the past couple of years that spurred the FTC into action.

The part about deleted profiles was interesting in that the settlement only says that Facebook agrees to not “allow third party access” to profile information. There’s nothing about Facebook purging the information, so I assume it can still be subpoenaed.

I question whether the settlement comes too late for Facebook. It has fooled users not once, or twice, but on a regular basis. (Facebook is like the stereotypical person in an abusive relationship. It doles out the punishment and people keep coming on hearing a promise that it will make things right.) In a way, the settlement may be a boon to Facebook. It has failed to keep its promises of its own accord, but now it can point to the imprimatur of the FTC settlement and say: “like Twitter and Google, we too are under the tumb of the FTC…you don’t have to take our word for it that we will make good on our privacy promises!”

[NB: the numerous privacy class actions against Facebook have all been dismissed or are otherwise languishing and are likely to be dismissed. This settlement should not have any effect on those lawsuits one way or another, although Zuckerberg’s blog post contains a broad mea culpa that may sway a judge or a factfinder. If plaintiffs can get past the damages/standing issue, they are sure to wave that around.]


Eric’s Comments

1) The FTC’s privacy rules are quite easy to follow. Tell users the truth, and don’t change the rules mid-stream without users’ consent. We’ve all known that Facebook repeatedly cuts corners when it comes to its privacy promises. Like most Internet companies, they thought they could get away with it. They didn’t.

2) The fact Facebook violated these rules is bad legally, but it’s even worse for Facebook’s user relations. Few Internet brands as big as Facebook have so many users that feel apathetic—or downright antagonistic—towards the service. This isn’t a recipe for long-term success.

3) Surprisingly, although the collateral material discusses third party apps, the settlement doesn’t crack down on Facebook’s API and the stunning amount of personal data (about both users and their friends) that third parties can pull from Facebook without any meaningful supervision. Even so, I can’t imagine Facebook’s API will continue to work as it’s currently working for the indefinite future.

4) The FTC is on the way to making a clean sweep of settlements with major Silicon Valley Internet players. See our blog posts on the Twitter and Google Buzz settlements. It seems inevitable that the FTC will eventually put all of them under a monitoring program. In effect, the FTC is manufacturing de facto legislation through its Silicon Valley tour-de-force.

5) Add in the DOJ’s extraordinary attention to the Silicon Valley, especially Google, and it’s clear that DC regulators intend to have the final word about Silicon Valley business practices.