Facebook has settled charges in the United States that it “deceived” consumers by telling them they could keep their information private and then “repeatedly allowing it to be shared and made public”.
The Federal Trade Commission (FTC) took an eight-count complaint against the social networking giant.
The FTC said today the company had agreed to take several steps to make sure it lives up to is promises, including obtaining “express consent” from its users before their information is shared beyond the privacy settings they have established.
Among the complaints were that in December 2009, Facebook changed its website so certain information that users may have designated as private – such as their friends list – was made public.
“They didn't warn users that this change was coming, or get their approval in advance,” the FTC said in a statement.
In addition, Facebook represented that third-party apps users installed would have access only to user information that the apps needed to operate.
“In fact, the apps could access nearly all of users' personal data – data the apps didn't need,” according to the FTC.
Facebook also told users they could restrict sharing of data to limited audiences – for example with their ‘friends only’.
“In fact, selecting ‘friends only’ did not prevent their information from being shared with third-party applications their friends used, according to the trade commission.
The company also promised users that it would not share their personal information with advertisers and yet it did so.
Facebook also claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible.
“But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.”
Significantly, the company also claimed it complied with the US-EU Safe Harbor Framework, which governs data transfer between the United States and the European Union. The trade commission said Facebook did not comply with this framework.
The Irish Data Protection Commissioner recently began an audit of Facebook here, following a number of complaints originating in Austria.
The complaints against Facebook in Ireland have their origin in a request made under European law by Max Schrems, an Austrian law student (24), for access to the data the company holds on him.
He eventually received a CD containing 1,222 pages of information that the social network retained about him.
Within his personal file he found certain information that he knew he had deleted that still showed up in his data.
Under today’s settlement, Facebook is barred from making what the FTC called “further deceptive privacy claims”.
It also requires that the company gets consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
It is barred from making “misrepresentations about the privacy or security of consumers' personal information.
It will also be required to obtain consumers' “affirmative express consent” before enacting changes that override their privacy preferences.
The company is also required to prevent anyone from accessing a user's material no more than 30 days after the user has deleted his or her account.
The FTC also requires the company to establish and maintain a “comprehensive privacy” programme designed to address privacy risks associated with the development and management of new and existing products and services.
Facebook's privacy practices were the subject of complaints filed with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups.
Mark Zuckerberg, Facebook's founder and chief executive, said in a blog entry on today he was is "committed to making Facebook the leader in transparency and control around privacy".
He said the company was creating two new corporate privacy officers.
Today’s settlement follows a similar agreement in March between the FTC and Google over the search company’s rollout of its own social network Google Buzz.
In 2010 the FTC settled charges with Twitter, after it alleged that the micro-blogging site had failed to safeguard users' personal information.
Additional reporting: Reuters