Lessons from the FTC Settlement with Facebook

Facebook and the FTC have announced a settlement over charges that Facebook’s 2009 retroactive changes of users’ privacy settings constituted deceptive behavior. Much of the settlement is a rehash of what we already know, namely that Facebook was pursuing aggressively the erosion of privacy and that the FTC wants companies to implement comprehensive privacy programs that are flexible as new business practices emerge. The most interesting aspects of the settlement are as follows:

1) From now on, Facebook must check in with its users and obtain affirmative consent from them before sharing information and overriding users’ privacy settings.
2) The social site must comply with a user’s desire to shut down its account and within thirty days block access to the deleted account’s material.
3) Facebook must implement internal procedures to safeguard users’ privacy.
4) Facebook will submit to biennial audits of its privacy practices for the next twenty years.

So what does this mean for Facebook, Facebook users, and for others in the social world? Having reviewed the settlement, I note the following issues:

Notably, the settlement does not include any financial penalties, but the FTC did insert a clause that failure to comply with the terms of the settlement would result in fines of $16,000 per violation per day. Could this be a clue to other companies about what it will cost them if they attract FTC’s attention for deceptive privacy policies?

In addition, the FTC did not implement a retroactive setting requirement. In other words, Facebook must work on a going forward basis to walk the straight and narrow, but what’s done is done, and the FTC is not asking for corrective measures or even any publicizing to Facebook users of how their private data was used inappropriately. That leaves Facebook users squarely in the dark. In addition, the settlement does not require Facebook to offer privacy information in consumer friendly language. While FTC representatives have publicly stated that they do not like convoluted privacy policies, their settlement with Facebook does not provide any guidelines on what this may mean. Perhaps, the answer will come in the audits.

And what about those audits? 20 years is the equivalent of a century in the fast evolving world of Facebook. Will we see those audits slowing down innovation? Or will they more affect Facebook’s bottom line and its potential IPO? Regardless of the outcome, the threat of an audit program should be enough to make other companies take notice.

So does the Facebook settlement change privacy best practices for other companies? Not really. It just underscores the need for developing meaningful strategies for protecting users’ privacy that are clearly communicated to consumers.

Final recommendation: Every company should conduct an internal privacy audit that examines its data collection practices, its written policies, and its crisis management strategies. Industry, generally, needs to focus on technologic solutions for securing personal data to prevent more FTC investigations and government interference with commerce through legislative measures.

To review the FTC’s settlement, click here.