On November 29, 2011, the Federal Trade Commission announced that Facebook has settled charges that it deceived consumers by making false privacy promises. The settlement requires Facebook to (1) not misrepresent how it maintains the privacy or security of users’ personal information (2) obtain users’ “affirmative express consent” before sharing their information with any third party that “materially exceeds the restrictions imposed by a user’s privacy setting(s),” (3) implement procedures to prevent a third party from accessing users’ information no later than 30 days after the user has deleted such information or terminated his or her account, (4) establish, implement and maintain a comprehensive privacy program, and (5) obtain initial and biennial assessments and reports regarding its privacy practices for the next 20 years.

The FTC Settlement comes after the Electronic Privacy Information Center recently complained to the FTC about Facebook’s privacy practices and Senator Jay Rockefeller (D-WV) proposed hearings to investigate Facebook’s online tracking practices.

In its complaint accompanying the settlement, the FTC lists eight specific allegations about Facebook’s privacy practices, including that Facebook:

  • Changed its website so that users’ Friends Lists were made public without obtaining approval from users
  • Misrepresented the level of access to user information by third-party applications
  • Shared users’ personal information with advertisers
  • Allowed access to the content of users who deleted their Facebook accounts
  • Falsely claimed that it complied with the U.S.- EU Safe Harbor Framework

In the press release announcing the settlement, FTC Chairman Jon Leibowitz stated that “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users” and that the FTC will ensure that “Facebook’s innovation does not have to come at the expense of consumer privacy.”

View the FTC’s complaint and exhibits and the consent order.