Facebook “Settles” with the Federal Trade CommissionNovember 29, 2011 3:52 pm ·
“I founded Facebook on the idea that people want to share and connect with people in their lives,” Facebook CEO Mark Zuckerberg began in a Tuesday blog post, “but to do this everyone needs complete control over who they share with at all times.”
“I’m the first to admit that we’ve made a bunch of mistakes,” he said at one point. However, the Facebook CEO was careful to follow that near-admission of guilt by saying, “I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using one service.”
Hardly the apology one would think that users deserve after having pieces of information—phone numbers and email addresses, for example—being suddenly made public without prior consent from users, providing a convenient opportunity for merchants who covet such information to quickly collect it before users realized what happened.
“Facebook has always been committed to being transparent…But we can always do better.”
Such a statement comes from Zuckerberg in the wake of a settlement announced Tuesday between the social media giant and the Federal Trade Commission, which argued that Facebook has been utilizing deceptive privacy standards.
To be sure, the FTC charged Facebook for having “deceived consumers by telling them they could keep their information on Facebook private and then repeatedly allowing it to be shared and made public.”
Instead, Facebook was given a list of six requirements in the FTC settlement.
First, Facebook is officially “barred from making misrepresentations about the privacy or security of consumers’ personal information.” In plainer terms, Facebook has to abide by the privacy rules that Facebook creates.
Personally, I’m not sure what company shouldn’t be bound by such an obligation.
Second, Facebook is now “required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences.” In other words, if you tell Facebook that you want your phone number to be private when you set up your personal profile, Facebook has to ask for permission to make it public.
Again, it’s a bit disconcerting when one thinks of such a term as part of a settlement. If this is a compromise (another word for settlement), I’d hate to see what would have happened if Facebook officially won this legal battle. Would the social site have simply been given carte blanche to do whatever it pleases with user information?
Third, Facebook is “required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account.” When you delete your account and reasonably understand it to be, well, deleted, Facebook actually has to cut off access to that information within 30 days.
I don’t mean to sound like a broken record, but it’s difficult to see how such an agreement has any teeth. If a user deletes his or her profile, is it not reasonable for that person to assume that his or her information is, for all intents and purposes, deleted, or at least invisible? It’s one thing to keep it on-hand so that returning users don’t have to create a new profile from scratch, but it’s another to fail to differentiate between the accessibility of the data of active members and that of former members.
Fourth, the social site is “required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information.” Put more simply, Facebook must have a consistent privacy program with respect to all of its products and services, present and future.
How comforting it is to know that Facebook is now legally obligated to protect my explicitly private information as it continues to develop new products and services.
Finally, Facebook is “required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.” Accountability. Plain and simple.
And well-warranted, I might add.
Perhaps, instead of calling this a settlement, this should be the standard operating procedure when it comes to regulating companies that hold and ultimately profit from the collection of such massive amounts of user information. Considering the FTC’s decision not to include a single punitive provision, this agreement seems more like a much-needed—not to mention long overdue—piece of regulatory legislation than a settlement.