FTC Announces Enforcement Action Against Facebook
Recent reports about the FTC and Facebook nearing a settlement were true because today the FTC announced that it had entered into a proposed settlement with Facebook for Facebook's failure to keep its users' information on Facebook private and repeatedly allowing users' information to be shared and made public.The proposed settlement bars Facebook from making misrepresentations about its privacy and security practices, requires it to obtain affirmative express consent before enacting changes that override privacy preferences, as well as the usual FTC enforcement requirements regarding a privacy program and a 20-year duration. The 8 count complaint includes violation of the U.S. Department of Commerce EU Safe Harbor Framework, marking the second substantive enforcement action of the FTC after the Google Buzz enforcement action. The enforcement action reinforces (1) previous FTC enforcement actions relating to aligning privacy policies and practices, (2) the importance of using screenshots for attorneys working on technology and privacy projects, and (3) the viability of the Safe Harbor as a method of transfer for personal information from the EU.
The first count of the FTC complaint relates to the deceptive privacy settings for Facebook. There, the FTC alleges that users' profile privacy settings relating "Only Friends" or "Friends of Friends" were accessible through Facebook's Platform Application. While this sharing exceed the scope of only friends and friends of friends, it was not effectively disclosed to the users, resulting in a false or misleading representation.
This third count is important and requires some more discussion. The FTC has maintained for some time, at least since the Toysmart enforcement action, that material retrospective changes to privacy policies without the express consent of the users constitute unfair trade practices. Now, the FTC further elaborates on the point and states that the users must not only provide affirmative consent, but that the consent must be properly informed. The Article 29 Working Party made a similar point in its recent guidance regarding the definition of
consent in WP187. Even though Facebook used a privacy wizard to enable users to change their privacy settings, the disclosure of information was not adequate. In other words, the FTC's unfairness claim against Facebook brings together the Toysmart enforcement action and the Sears enforcement action.
The fourth count in the FTC complaint relates to the amount of access Facebook provides to its Platform Applications. The FTC argued that Facebook had stated in various locations that the Platform Applications needed access to the users' profile information that was required for the applications to work. In fact, he FTC alleged, the applications received more information than they were required to work, such as the users' relationship status, photos, and videos. In effect, the FTC argues here that Facebook's statements and processes failed the Data Integrity Principle of the Safe Harbor, without necessarily stating it. This principle is also explained in Article 6(C) of the EU Data Protection Directive stating that personal data must be "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed" In simplest terms, Facebook's statements regarding its actions its actions did not entirely line up with its statements.
The fifth count of the FTC complaint relates to Facebook's sharing of information with advertisers, despite its statements to the contrary. The sixth count of the FTC complaint relates to Facebook's Verified Apps program. There, Facebook made statements that its Verified Apps were "secure, respectful and transparent" and that these apps had passed Facebook's review. In fact, Facebook had taken no steps to verify the security of these applications, which turned out to be a false and misleading representation. The seventh count related to Facebook's failure to prevent access to deactivated accounts. FTC alleges that Facebook allowed others to access users' photos, videos, and other Facebook content after the accounts were deactivated. These actions, once again, constituted false or misleading statements.
The eighth and final count of the FTC complaint alleges violations of the EU Safe Harbor, which Facebook joined in 2007. This enforcement action against Facebook also happens to be the second substantive Safe Harbor enforcement action and the fourth overall. The FTC's first substantive enforcement action was against Google over the roll out of Google Buzz. Here, Facebook's failure to obtain the affirmative informed consent of its users for the changes in its privacy practices and its failure to clearly state the purposes and means of processing of the information it collects resulted in the violations of the Notice and Choice Principles of the Safe Harbor.
As a result of the enforcement action, Facebook entered into a proposed consent order. The consent order, among other things, (1) prohibits Facebook from making misrepresentations about its privacy or security practices, (2) requires it to obtain express and informed consent for changes that materially exceed restrictions placed by users, (3) requires it to establish a comprehensive privacy program, (4) requires it to obtain biennial third party assessments of its practices, (5) requires it to retain appropriate records, and (6) terminates in 20 years.
The FTC's enforcement action against Facebook is important for several reasons. First, it affects half a billion people around the globe and provides them with fundamental privacy protections under the watchful eye of the FTC. Second, it expounds on privacy principles previously articulated by the FTC in new ways and shows the importance of clear and unambiguous privacy policies and practices. Note that Facebook used a privacy wizard in order allow its users to change their privacy practices but its statements were still deceptive and unfair. As a result, the enforcement action once again highlights the importance of brief and accurate privacy statements, which was the lesson that the FTC was attempting to teach in the Sears enforcement action.
Third, the enforcement action demonstrates the importance of screenshots. FTC's hiring of its first full time technologist has led to some changes. The FTC is now using screenshots more than ever in its complaints. The Facebook complaint is the first complaint (that I am aware of) where the screenshots were in the body of the complaint instead of the exhibits, which is where the Google Buzz screenshots were located. Now, however, the screenshots take center stage in the many of the counts of the FTC complaint. This makes perfect sense as the web takes place on the screen, whether on a desktop, laptop, phone, tablet or TV. This may seem like a minor difference, however, it marks an important shift. The regulators and litigators are increasingly looking at the presentation of companies practices as well as the words in their privacy statements. Therefore, any implementation of a product or service that requires interaction on an electronic device requires that attorneys, as well as the programmers, closely examine work product using screenshots. Though this point is abundantly clear to many technology and privacy attorneys before, the Facebook FTC enforcement action should make it clear to all attorneys. Reviewing screenshots of any product or service is crucial for the successful implementation of any project and is mandatory for the defense of any claim relating to privacy or technology.
Finally, the increasing number of EU Safe Harbor enforcement actions by the FTC shows that the promises of the Enforcement Principle of the Safe Harbor are not hollow. EU Data Protection Authorities continue to point to the Binding Corporate Rules as the preferred method of transfer of personal information to countries with inadequate protections under the EU Data Protection Directive. However, the BCRs are beyond the reach of many companies due to their extensive time and resource requirements. Until the EU Data Protection Directive is amended to allow even a more streamlined BCR process, the Safe Harbor will remain the main choice of U.S. companies (under FTC and DoT jurisdiction) wishing to transfer personal information from the EU.