Facebook has agreed to settle charges by the Federal Trade Commission that it lied to customers about its privacy policies. The agreement means it will now be forced to ask first before changing any privacy settings.
The agreements comes after an investigation by several online privacy advocates, led by the Electronic Privacy Information Center (EPIC). Making the agreement does not involve formally admitting any wrongdoing, but Facebook is legally obliged to stick to the agreement. The potential penalty for any violation is $16,000, though it appears that could apply to each individual affected user if Facebook did breach the deal.
The FTC complaint that brought about the agreement lists seven instances when Facebook misled customers about its privacy policies. The most prominent was the December 2009 change when the company increased the range of options users had for controlling who could see particular types of information, but introduced the change by setting a lot of info to publicly available by default and then leaving users to put it back to a more private setting.
Other claims Facebook made that proved to be untrue included app developers only having access to info that was needed for the app (in fact they could access most other personal data); not sharing personal data with advertisers; certifying the security of supposedly “Verified Apps”; and complying with rules on data transfers between the United States and European Union. The company also failed to inform users that setting privacy to “Friends Only” meant data was shared with developers of apps used by those friends. And claims that photos and videos were inaccessible once an account was closed were also false.
The settlement not only legally forces Facebook to stop misleading customers over privacy and security, but changes the main principle of its privacy policies: in the future it can only make changes that affect privacy once a user has explicitly authorized the change. The company must also ensure that once an account is deleted, the user’s content becomes inaccessible after 30 days.
As part of the settlement Facebook must also establish a privacy program that will be independently audited every two years until 2032.
With Facebook agreeing to the deal, the FTC has unanimously agreed to approve it. It will now go through a 30 day public consultation (which appears to be little more than a procedural nicety) before being confirmed and taking effect.
While the settlement is a major public relations black eye for Facebook, it seems likely the company decided to stop fighting the issue and settle now, rather than have the case still active and frighten potential investors if and when it goes public.