Recent Facebook Settlement Spotlights FTC Interest
in Representations to Consumers Regarding Online Privacy
December 6, 2011
On November 29, 2011, the Federal Trade Commission (FTC) announced that it had entered a consent agreement with Facebook resolving the FTC's complaint that Facebook made false representations to consumers regarding Facebook's privacy practices. The matter developed as a result of complaints filed by the Electronic Privacy Information Center and a coalition of consumer groups.
FTC Complaint and Consent Agreement
The FTC alleged that Facebook made multiple false representations to its users about how and when the information that they shared with Facebook was shared or otherwise made available to third parties. For example, the FTC alleged that Facebook falsely told its users that third-party applications installed by users via Facebook could only access the information about those users that the application needed to function. In reality, the third-party applications had access to personal user information that they did not need. It further alleged that Facebook's "Friends Only" privacy setting falsely communicated to users that information was restricted to a limited audience, when in fact information labeled with this setting was available to third-party applications as well. The FTC also alleged that Facebook falsely stated that it did not share users' personal information with advertisers, falsely represented that the deactivation of a Facebook account rendered the user's photographs and videos previously uploaded to Facebook inaccessible, and falsely claimed to be compliant with the United States - European Union Safe Harbor Framework governing data transfer.
In resolving the complaint, Facebook agreed not to make false representations to users about the privacy of their personal information, and to make numerous revisions to its privacy practices. Going forward, Facebook must, prior to any sharing of a user's "nonpublic user information" in a way that materially exceeds the restrictions imposed by a user's privacy settings, provide notice to and obtain affirmative express consent from the user. This must be done separately and apart from the statement of any privacy or similar policy. Facebook also must establish and maintain a comprehensive privacy plan to address privacy risks, and for the next 20 years it must employ third-party auditors to evaluate Facebook's privacy practices and provide the evaluation results to the FTC. Additionally, Facebook must make users' information unavailable within 30 days following the deletion of a Facebook account.
Implications for Online Privacy Regulation
The FTC's accusations against Facebook derived from representations that Facebook made to its users. The enforcement action and proposed settlement highlight the continued value of transparent, truthful policies and the importance of regularly assessing privacy practices to ensure compliance. The Facebook settlement represents the latest example of the FTC's active and rigorous enforcement agenda for online privacy. WSGR is preparing a white paper identifying recent lessons from these settlements. Clients who would like to receive a copy should email PrivacyAlerts@wsgr.com.
Wilson Sonsini Goodrich & Rosati attorneys regularly assist clients with all aspects of their privacy and information-governance needs. For additional information about privacy-related FTC investigations and settlements or any other questions, please contact Lydia Parnes at (202) 973-8801, Tonia Klausner at (212) 497-7706, Gerry Stegmaier at (202) 973-8809, Matthew Staples at (206) 883-2583, or Wendy Devine at (858) 350-2321.