Facebook And FTC Settle Privacy Charges — No Fine, But 20 Years Of Privacy Audits

Facebook and the FTC today finalized their earlier announced settlement over charges that Facebook had “deceived” its customers by “telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” Unlike this week’s earlier $22.5 million FTC settlement with Google, Facebook does not face any financial penalties because the FTC does not have the authority to levy fines when it enters an initial agreement like this one (it can only impose fines when companies violate the agreement). Instead, the company will have to promise that it will give its users “clear and prominent notice” and get their consent before sharing their information beyond their privacy settings. In addition, Facebook will have to submit itself to biennial privacy audits for the next 20 years and maintain a “comprehensive privacy program.”

The FTC launched its investigation into Facebook’s privacy practices in 2011 and the two organizations first announced that they had settled the charges last November. Today’s announcement marks the end of the public comment period and finalizes the settlement agreement.

Here are the details of the settlement. Facebook is:

  • barred from making misrepresentations about the privacy or security of consumers’ personal information;
  • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

Just like with Google’s earlier settlement, Commissioner J. Thomas Rosch dissented from the 3-1-1 decision because he questions whether “Facebook’s express denial of liability provided ‘a reason to believe’ that the settlement was ‘in the interest of the public’ and expressing concern that the final consent order may not unequivocally cover all representations made in the Facebook environment.”

You can read the full settlement order here.

Update: Added explanation for why Facebook – unlike Google – doesn’t face a financial penalty at this point.