Ever had the frustrating experience of discovering your so-called “private” photo album on Facebook has been made public for all the world to see? Well, here’s a bit of good news.
On Friday afternoon, the Federal Trade Commission finally reached its long-awaited privacy settlement with Facebook, resolving charges that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.
This concludes a long saga between the FTC and Facebook, and although Facebook admitted no wrong-doing, the FTC pressed on with its case for months. What were some of the privacy offenses?
The FTC’s complaint alleged that Facebook purposely shared users’ personal information with third-party advertisers from September 2008 through May 2010, selling that data for lucrative marketing purposes.
Further, starting in 2009, the FTC alleged that Facebook quietly made privacy changes that automatically shared information and pictures, even if users had previously programmed their privacy settings to hide that content.
The settlement requires Facebook to take several steps to make sure it lives up to future privacy promises. Among those promises, Facebook must:
- Offer an “opt-in option” by giving users clear and prominent notice before sharing their information beyond their privacy settings.
- Maintain a comprehensive privacy program to protect consumers’ information.
- Obtain a privacy audit from an independent third party every two years for the next 20 years.
The FTC added that, based on its extensive investigation, there is a strong reason to believe that the settlement is “in the public interest, and that the provisions make clear that Facebook will be liable for a broad range of deceptive conduct.”
Indeed, it was discovered earlier this year that more than 7.5 million kids under 13 were on Facebook this past year. This is despite Facebook’s terms of service, which requires users to be at least 13 years old. Even more troubling was that a majority of parents of kids 10 and under seemed largely unconcerned by their children’s use of the site.
The Government’s Gripes
So what exactly did the FTC discover during its long investigation? The government’s official complaint used Facebook’s own words against it throughout the case, citing the following examples of fraud:
“Facebook may use information in your profile without identifying you as an individual to third parties. We do this for purposes such as . . . personalizing advertisements and promotions so that we can provide you Facebook. We believe this benefits you. You can know more about the world around you and, where there are advertisements, they’re more likely to be interesting to you. For example, if you put a favorite movie in your profile, we might serve you an advertisement highlighting a screening of a similar one in your town. But we don’t tell the movie company who you are.”
“We don’t share information with advertisers without your consent . . . We allow advertisers to choose the characteristics of users who will see their advertisements and we may use any of the non-personally identifiable attributes we have collected (including information you may have decided not to show other users, such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for those advertisements. For example, we might use your interest in soccer to show you ads for soccer equipment, but we do not tell the soccer equipment company who you are . . . Even though we do not share your information with advertisers without your consent, when you click on or otherwise interact with an advertisement, there is a possibility that the advertiser may place a cookie in your browser and note that it meets the criteria they selected.”
“We do not give your content to advertisers.”
— (Facebook Statement of Rights and Responsibilities, May 1, 2009).
“Still others asked to be opted-out of having their information shared with advertisers. This reflects a common misconception about advertising on Facebook. We don’t share your information with advertisers unless you tell us to ([e.g.,] to get a sample, hear more, or enter a contest). Any assertion to the contrary is false. Period . . . we never provide the advertiser any names or other information about the people who are shown, or even who click on, the ads.”
— (Facebook Blog, http://blog.facebook.com/blog.php, “Responding to Your Feedback,” Barry Schnitt, April 5, 2010).
“We never share your personal information with advertisers. We never sell your personal information to anyone. These protections are yours no matter what privacy settings you use; they apply equally to people who share openly with everyone and to people who share with only select friends. The only information we provide to advertisers is aggregate and anonymous data, so they can know how many people viewed their ad and general categories of information about them. Ultimately, this helps advertisers better understand how well their ads work so they can show better ads.”
— (Facebook Blog, http://blog.facebook.com/blog.php, “The Role of Advertising on Facebook,” Sheryl Sandberg, July 6, 2010).
Contrary to the statements above, the FTC claimed that Facebook shared information about users with platform advertisers by identifying users who clicked on their ads and to whom those ads were targeted. Specifically, Facebook designed and operated its website so the user ID for a user who clicked on a platform ad was shared with the platform advertiser.
As a result, advertisers potentially could take steps to get detailed information about individual users by combining the user’s real name with any targeted traits used for the ad the user clicked, along with information about the user’s visit to the advertiser’s website.
Only time will tell whether this FTC enforcement results in meaningful changes. After all, Facebook is a company whose fundamental business model is to collect information about you and use it to sell ads.