Facebook’s Settlement With FTC Confirmed: Privacy Changes Must Be Opt In – UPDATED

Facebook CEO Mark Zuckerberg just issued a statement on the Facebook Blog confirming that his company has settled with the FTC over charges that it has violated user privacy over the years. Facebook is now “required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences”, effectively making opt in all future privacy control changes to the audience of previously shared data or content. Facebook must also submit to privacy audits every 2 years for the next 20 years, bar access to content on deactivated accounts, and avoid misrepresenting the privacy or security of user data.

[Update: We’ve now received word from Colin Stretch, Facebook’s deputy general counsel about exactly what types of changes will require opt in. “Material retroactive changes to the audience that can view the information users have previously shared on Facebook” must now be opt in. For example, requiring a user’s contact info to be public after previously allowing users to show it to “Friends Only” would have to be opt in. Newly launched products with new privacy controls are not required to be opt in, though Facebook may make them opt in to avoid further FTC complaints. I have edited this article to reflect the clarification.

The key comes in the word ‘override’ in Facebook’s proposal that it be “required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences”. Most would understand the statement to mean opt in is required for any new privacy control. However, Facebook’s public policy teams interprets this to mean changes that override existing settings, so adding new settings is admissible without opt out.

An FTC representative tells me that Facebook does not need to make new products with new privacy controls opt in. However, FTC Chairman Jon Leibowitz in a conference call with press said that the commission’s order broadly protects against deception, which springing new products and privacy features on users could be considered.]

Another core stipulation of the settlement is that Facebook change its product development process to ensure privacy is upheld. In compliance, Zuckerberg has created two new corporate officer roles, which we detail here. Chief Privacy Officer – Policy will be filled by Erin Egan, partner and co-chair of  international law firm Covington & Burling, while Chief Privacy Officer – Products will be filled by Michael Richter, Facebook’s former Chief Privacy Counsel. Facebook’s proposed package of changes to comply with the FTC will now go into a public comment period, and will likely be finalized and accepted by the FTC at the start of the new year.

The settlement will hinder Facebook’s ability to change existing products and could discourage it from releasing new products that influence privacy of existing content. Users are typically resistant to change and may be reluctant to opt in to new privacy controls, so Facebook will likely try not to make any retroactive changes that require the opt in.

The privacy audits will impact how Facebook develops and rolls out products. Previously, product teams and engineers were in part free to build and push changes to the site’s interface. Facebook could also quietly push bigger changes that influence privacy to small portions of the user base to see how they react. This strategy of asking for forgiveness rather than permission will have to be modified.

Changes will now require direct oversight from the new Chief Privacy Officers. Facebook rarely makes material retroactive changes to the audiences of content, but if it does in the future it will need to determine the most effective way to push users to opt in. This might include banners on the home page, email notifications, and other forms of alerts that could annoy users or make them overly concerned with their privacy. Unfortunately, getting 100% of the user base onto a retroactive change may now be impossible, rather than simply requiring a code push.

Imagine how difficult it would have been to get all of Facebook’s users to approve Places, its location-based checkin service that included a new location privacy control. Most of Facebook’s products thrive on ubiquity — they only work properly if everyone you know is on them. Though not required, if Facebook now voluntarily launched Places as opt it , you might only be able to check some of your friends in with you, because some may not have seen or may have ignored the option to opt in. This could have given an opportunity to disrupt Facebook to smaller location-based services like Foursquare which haven’t received such privacy scrutiny.

The one positive thing about the settlement: Facebook managed to avoid  promising to make specific changes to how it powers ad targeting with user biographic, interest, and activity data. Facebook is “barred from making misrepresentations about the privacy or security of consumers’ personal information”. Therefore, it may only need to include a line in its signup process explaining that advertisers can target users based on anonymized, aggregated personal data. The company’s core business model is safe for now.

The FTC’s 7 Complaints, and Finalizing Facebook’s Compliance Package

Zuckerberg cited the recent progress Facebook has made towards giving users better control of their privacy, but over the years its misstakes piled up giving FTC grounds to demand major changes. The FTC made 7 key complaints about how Facebook has handled privacy in the past, and many of the issues still stand:

  • Facebook didn’t warn user that Friend Lists and other data would become public when it transitioned to a new privacy model in December 2009
  • Apps can request access to almost any piece of user data, though Facebook said they could only access data they need to operate.
  • The “Friends Only” privacy setting still allowed data to be accessed by third-party apps used by friends.
  • The “Verified Apps” program didn’t actually verify the security of apps.
  • A security bug caused Facebook to accidentally share personal data with advertisers when it promised it wouldn’t.
  • Content on deactivated and deleted accounts could still be accessed despite claims to the contrary.
  • Data of users in the European Union was transferred in violation of the US-EU Safe Harbor Framework.

Facebook has corrected some of these mistakes. The Verified Apps program has been shut down, and the bug that allowed personal data to be leaked to advertisers has been fixed. Facebook still isn’t always transparent — it didn’t link to or list the changes it proposed to the FTC in the Facebook Blog post.

Zuckerberg’s statement explains that the world’s privacy weighs heavy on him,”not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.” He also says that Facebook code deeply integrates privacy protection, “We do privacy access checks literally tens of billions of times each day to ensure we’re enforcing that only the people you want see your content.”

However, Facebook’s progressive, fast moving product development cycle has led it to make some missteps over the years. FTC Chairman Jon Leibowitz says “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.” The FTC voted 4-0 to accept Facebook’s package of changes and open it for 30 days of public comment starting today. The Commission will then decide whether to finalize the proposed consent order. The restrictions could negatively impact the $100 billion IPO Facebook is said to be planning for summer 2012.