You are on page 1of 4


December 15, 2011 Vol. 77, No. 24

Focus On ...
FTCs Proposed Settlement With Facebook
Treads Path of Landmark Google Buzz Case
The Federal Trade Commission has unveiled a proposed settlement of allegations that Facebook, Inc., repeatedly failed to keep promises to consumers about the
companys treatment of their personal information.
Under the proposed settlement announced Nov. 29,
Facebook would be subject to civil penalties up to $16,000
per violation for any future misrepresentations about the
privacy or security of consumers personal information.
In addition, Facebook would commit to a comprehensive privacy by design program for the development
and management of new and existing products and services and to 20 years of biennial independent, third-party
audits of its privacy practices.
Also, the proposed settlement would require
Facebook to obtain users affirmative express consent
before enacting changes that override their privacy preferences and to ensure within 30 days of a user deleting
his or her account that no one could access the users
Facebook data.
The FTCs complaint lists eight allegations of
Facebook promises regarding user privacy or security that
it failed to meet, including assertions that third-party apps
only had access to user information needed for the apps
operation, that it certified the security of third-party apps,
and that it would not share information users personal
information with advertisers.
The FTC also said that Facebook claimed that when
users deactivated or deleted their accounts, their photos
and videos would be inaccessible. But Facebook allowed
access to the content, even after users had deactivated or
deleted their accounts. The FTC added, Facebook
claimed that it complied with the U.S.-EU Safe Harbor
Framework that governs data transfer between the U.S.
and the European Union. It didnt.
Comments on the proposed settlement will be accepted until Dec. 30.
FTC Chairman Jon Leibowitz told reporters that he
believes the settlement is fair and balanced and that it
will allow Facebook to move forward. He also said that
the proposed settlement is very comparable to the

commissions settlement
with Google, Inc., earlier
this year over charges that
Google used deceptive
tactics and violated its stated privacy policies when
launching its Google Buzz social network function last


The Google settlement marked the first time the FTC

required a company to implement a comprehensive privacy program to protect customer information and the
first time it has alleged violations of the privacy terms
outlined in the U.S.-EU Safe Harbor agreement on transferring personal data both factors that are present in
the proposed settlement with Facebook.
In response to a reporters question about how long
consumers were duped by Facebook, Chairman
Leibowitz said he wouldnt characterize them that way,
adding that at least in some instances, ... its not clear
that Facebook was aware of the violation in its entirety.
The FTC chairman said, Its also worth pointing out
that the violations have stopped.
This provides a very good level of privacy protection going forward, Mr. Leibowitz said.
Marc Rotenberg, president of the Electronic Privacy
Information Center, one of the parties whose 2009 complaint launched the FTCs investigation into Facebooks
privacy practices, said, Our preliminary assessment of
the proposed settlement is that on balance it seems very
fair and that going forward it will give users greater
control of the information they post on Facebook.
However, Mr. Rotenberg added, We do have some
concerns about whether the proposed settlement ... adequately address the problems created when Facebook
changed [the default] privacy settings in 2009. He said
that EPIC might ask in its comments on the proposed
settlement for the FTC to require that the privacy settings be restored to what they were in 2009.
Mr. Rotenberg also said that EPIC would like to see
the biennial audit reports on Facebooks privacy practices made public. Chairman Leibowitz said that whether



December 15, 2011 Vol. 77, No. 24

to make such reports public is handled case by case and

that some companies ask for such reports to be confidential.
Noting that the FTC cannot impose fines for misrepresentations and deceptive behavior under the Federal
Trade Commission Act, although it can assess civil penalties for violations of a settlement order, Mr. Rotenberg
said, We do think there should be fines in cases like
these. He added that EPIC would like to see Congress
give the commission the authority to levy fines for violations under the FTC Act.
In a Nov. 29 blog post, Facebook founder and Chief
Executive Officer Mark Zuckerberg said, Overall, I think
we have a good history of providing transparency and
control over who can see your information. That said,
Im the first to admit that weve made a bunch of mistakes. In particular, I think that a small number of high
profile mistakes, like Beacon four years ago and poor
execution as we transitioned our privacy model two years
ago, have often overshadowed much of the good work
weve done.
Mr. Zuckerberg added, Facebook has always been
committed to being transparent about the information you
have stored with us and we have led the internet in
building tools to give people the ability to see and control what they share. But we can also always do better.
Im committed to making Facebook the leader in transparency and control around privacy.

Facebook Adds Corporate Privacy Posts

Mr. Zuckerberg announced the creation of two new
corporate officer positions with privacy responsibilities.
Erin Egan is the new chief privacy officerpolicy. She
recently joined Facebook from Covington & Burling,
where she was co-chair of the law firms global privacy
and data security practice. Michael Richter is the new
chief privacy officerproducts. He had been Facebooks
chief privacy counsel.
Reps. Edward J. Markey (D., Mass.) and Joe Barton
(R., Texas), who co-chair the House Bi-Partisan Privacy
Caucus and who have jointly sent several letters to
Facebook over the past year seeking information about
its privacy practices, praised the FTCs action.
I commend the Commission for pursuing privacy
problems at Facebook and taking action to require the
strengthening of safeguards that Facebook must apply to
its users personal information, said Rep. Markey. He
added, The settlements privacy protections will benefit
Facebook users and should serve as a new, higher stan-

dard for other companies to follow in their own efforts to

protect consumers privacy online. When it comes to its
users privacy, Facebooks policy should be: Ask for
permission, dont assume it.
Rep. Barton said, I am glad that the FTC has given
much needed attention to Facebooks practices and privacy policies. Social networking is about connecting with
friends, family members and customers. There is a level
of trust involved that should not be violated. I was disappointed when Facebook made user profiles public by
default and without adequate notice. The Commission
and Facebook are both making a strong statement today
with their settlement terms: consumer privacy matters. I
hope that all websites operators will truly value the importance of online privacy.
Sen. John (Jay) D. Rockefeller IV (D., W.Va.), the
chairman of the Senate Commerce, Science, and Transportation Committee, said, Consumer privacy is a right,
not a luxury. With todays settlement, Facebook agrees
to end deceptive practices and undergo rigorous oversight. But this action against Facebook is just the first
step toward protecting consumer privacy. Ultimately, I
believe legislation is needed that empowers consumers
to protect their personal information from companies
surreptitiously collecting and using that personal information for profit.
Sen. Kay Bailey Hutchison (R., Texas), ranking member of the Senate Commerce Committee, said, Im glad
to see that Facebook and the FTC have come to an agreement that will look out for the best interests of Facebook
users. Privacy on the internet, particularly with regard to
a service that has become as pervasive as Facebook, is
extremely important and should be a top priority for the
industry. In order to foster innovation and provide a concrete foundation for the internet economy, users must have
an understanding of how their information may be gathered and used, and they must have faith that their information will not be misused.
Sen. John F. Kerry (D., Mass.), chairman of the Senate communications, technology, and the Internet subcommittee, said, The FTC has succeeded here in
protecting consumers right to privacy in an increasingly
complex technological environment. This settlement will
help ensure that companies keep their promises to consumers and give those consumers a real voice in how
their information is used, distributed, and managed. It
reinforces the principle that data collectors should not
hold consumer information hostage, especially after a user
has terminated the service.



December 15, 2011 Vol. 77, No. 24

These priorities are consistent with what Senator
McCain and I had in mind when we introduced our Internet Privacy Bill of Rights. Anyone who has the privilege of collecting this type of sensitive information should
live by these fair rules of the road, Sen. Kerry added.
Rep. Mary Bono Mack (R., Calif.), chairman of the
House commerce, manufacturing, and trade subcommittee, said, Todays announcement by the Federal Trade
Commission is a step forward in giving American consumers a greater say in how their data and personal information is shared. But in many ways, this settlement
clearly demonstrates that the privacy debate in Washington remains unresolved. Most importantly, privacy policies should be transparent and understandable to
everyone, and consumers should have an
easy-to-understand way to opt out of sharing information, if they choose to do so.
Today, there are still a lot of unanswered questions.
Are companies following through on what they tell consumers? Are consumers really in charge when told theyre
in charge? And whats the line between what information is OK to collect and more importantly share
and whats not? I look forward to exploring these and
other issues in the months ahead as we continue our hearings and debate the need for privacy legislation, Rep.
Bono Mack said.
Rep. Anna Eshoo (D., Calif.), ranking member of
the House communications and technology subcommit-

Markey, Franken Seek Info

On Carrier IQ Data Collection
Rep. Edward J. Markey (D., Mass.), co-chairman of
the Bi-Partisan Congressional Privacy Caucus, has asked
the Federal Trade Commission to investigate Carrier IQ,
Inc., a provider of network performance technologies for
wireless service providers whose data collection practices have come into question.

tee, said, I welcome the settlement reached today by

Facebook and the Federal Trade Commission. By making important and positive improvements to its approach
to protecting user privacy, Facebook has made a commitment that will put consumers first. The importance of
personal privacy is woven into the fabric of our country,
and use of personal data by any company must be transparent and secure. Ive always believed that companies,
whether large or small, should provide tools that give
consumers confidence that their information will not be
shared more broadly than they intended. Todays agreement upholds this belief.
In a statement, Daniel Castro, senior analyst at the
Information Technology & Innovation Foundation, said,
The latest action from the FTC highlights the fact the
U.S. has a healthy self-regulatory privacy system in place
that protects consumers while still allowing for innovation. Most of the concerns presented to the FTC in this
inquiry have long since been resolved to the satisfaction
of all parties. Moreover, Facebook has developed a consistent track record of responding to privacy concerns by
users and regulators and it continues to release new features to give consumers more control over their data.
Rather than impose heavy-handed regulations or engage
in expensive and unproductive litigation, policymakers
should continue to work in partnership with the private
sector to balance privacy with innovation.
Lynn Stanton,

information, such as the content of text messages, Rep.

Markey said Dec. 2. Consumers and families need to
understand who is siphoning off and storing their personal information every time they use their smart phone.
I am asking the Federal Trade Commission to investigate
this practice, and I will continue to monitor this important privacy issue.

Carrier IQ, however, said it is seeking to clarify

misinformation about its practices amid congressional
scrutiny, which arose after reports that Carrier IQs application logs phone numbers dialed from users
smartphones, the content of text messages received, the
URLs of websites visited, the content of online searches,
and users location when using their phones.

In the letter, Rep. Markey asked FTC Chairman Jon

Leibowitz what actions the FTC has taken or plans to
take to investigate the installation of software that secretly tracks and reports back the activities of cell phone
users. Rep. Markey said an investigation of that practice would fall within the FTCs mandate under section 5
of the Federal Trade Commission Acts protections from
unfair or deceptive acts of practices.

I have serious concerns about the Carrier IQ software and whether it is secretly collecting users personal

Meanwhile, Sen. Al Franken (D., Minn.) asked Carrier IQ to explain what kind of information its mobile


Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.