In the wild, wild west of the internet, it looks like the Federal Trade Commission is saddling up to play the role of sheriff. On November 29, 2011, the FTC announced its proposed settlement of claims against the social networking goliath, Facebook. (By the way, you can read about it on the Commission’s Facebook page. http://www.facebook.com/federaltradecommission?v=wall.) The settlement resolves an eight-count administrative complaint charging Facebook with misleading their users by telling them they would protect the privacy of personal information, but repeatedly allowing that information to be shared with third parties or made public without the users’ knowledge or consent. (In the matter of Facebook, Inc., File no. 092 3188.) Coming on the heels of the FTC’s March 2011 settlement of charges that Google, Inc. violated its own privacy promises to consumers when it rolled out its social network site, Google Buzz (In the Matter of Google, Inc., File no. 102 3136), the Facebook case demonstrates the agency is willing to use consumer protection laws to “make sure companies live up to the privacy promises they make to American consumers.” http://ftc.gov/opa/2011/11/privacysettlement.shtm.)
The FTC’s charges stemmed from representations Facebook made to users regarding their ability to restrict access to personal information they loaded onto the site. For example, according to the FTC, the company told users they could restrict access to personal data by using a “Friends Only” setting, but in fact, software applications developed by third parties -- “third-party apps” -- and employed by the users’ “Friends” could still access and collect the allegedly restricted data. Facebook further misled users by telling them that third-party apps could not access data unnecessary to run the apps, and that Facebook would not share information with advertisers. Neither of those representations was true. Also, in December 2009, the company allegedly overrode users’ privacy settings when it enacted wholesale changes that public disclosed previously restricted information such as “Friends” lists, without first getting the users’ approval to enact these changes. (You can read Facebook’s eight alleged deceptions in the complaint at the FTC’s website - http://ftc.gov/os/caselist/0923184/111129facebookcmpt.pdf
Under the proposed settlement, Facebook will be prohibited from making any further deceptive privacy claims, from changing the way it shares a user’s data without first obtaining the user’s approval, and from allowing anyone to access a user’s information more than 30 days after the user deletes his or her account. In addition, Facebook will be required to maintain a comprehensive privacy program intended to address privacy concerns associated with both new and existing products used on its site. To ensure the existence and proper administration of its privacy program, Facebook will be audited by an independent third party every two years for the next twenty years. Though the settlement does not impose any monetary sanctions, Facebook could incur fines of up to $16,000 per day if it fails to comply with its terms. The FTC will take public comments on the proposed settlement through December 30, 2011.
The FTC’s charges focused on Facebook’s failure to live up to its own representations regarding data security, not the simple fact that it shared personal data with third parties. This tack derived from the consumer protection standards underlying the complaint -- specifically, section 5(a) of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce.” (15 U.S.C. §. 45(a)(1)). (The FTC also is tasked with enforcing the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501 et seq., which imposes restrictions on operators of commercial websites who knowingly collect personal information from children under age 13, but that statute was not invoked in this case.)
While it is easy to view this decision primarily as a vindication of personal privacy interests -- and in many ways, it is -- it really reflects a victory in the FTC’s efforts to defend consumer rights. Facebook’s problems arose not from the dissemination of data, but from its failure to live up to its own promises. Had Facebook not told its users that it would protect certain personal data, or had it simply informed users more fully regarding their December 2009 changes in their privacy practices, it is likely they could have disseminated the data precisely as they did, but avoided their run-in with the FTC.
Facebook remains under criticism for other data collection practices, such as tracking webpages visited by both members and non-members. As quoted in USA Today, West Virginia Senator Jay Rockefeller urges the passage of new laws to help consumers “protect their personal information from companies surreptitiously collecting and using . . . personal information for profit.” (http://www.usatoday.com/tech/news/story/2011-11-29/facebook-settles-with-ftc/51467448/1
) Whether or not those new laws come to pass, the FTC has demonstrated that consumer protection laws already on the books give it some potent guns for policing the internet frontier.
Jim Fieweger is a partner in the Chicago law firm Williams, Montgomery & John. A former Assistant United States Attorney in the Northern District of Illinois, Jim is an experienced trial lawyer whose practice focuses on commercial litigation and white collar criminal defense. Jim is a member of the DRI Government Enforcement and Corporate Compliance Committee.