Facebook must get consent before sharing info beyond privacy settings. Dissent not happy about denial of wrongdoing.
The Federal Trade Commission voted 3-1-1 on Friday to finalize its settlement with Facebook over allegations that Facebook deceived consumers by telling them they could keep their information private, and then repeatedly letting it be shared and become public.
The Allegations: Facebook Made Private Info Public
Among others things, the FTC's complaint alleged that Facebook made some information about users, including very personal and sensitive information, available to third party applications (or "apps") that their friends used, even though users had set that information private; and that the apps then made the information public.
The information that could be made public allegedly included a user's:
- Profile and picture
- Sexual orientation
- Business relationships
The complaint also alleged that Facebook's conduct potentially exposed such controversial and other sensitive information to third parties, like prospective employers, government organizations, and business competitors
Facebook Must Take Steps to Protect Privacy
According to the FTC statement issued on Friday, Facebook must take several steps to ensure it is living up to its privacy promises, including the following:
- Opt-In: Facebook must notify users and get their express consent before sharing their information beyond their privacy settings
- Privacy Program: Facebook must maintain a privacy program to protect the information of its users
- Privacy Audits: Facebook must submit to privacy audits by an independent third party every other year for a specified time
Dissent Does Not "Like" the Settlement
One commissioner voted against the settlement. He questioned if letting Facebook deny the allegations in the final order gives the FTC "reason to believe" that Facebook engaged in unfair or deceptive acts or practices. Without that "reason to believe" he also wonders if the FTC can conclude that the settlement is in "the interest of the public". Apparently, both findings are required.
The dissenting commissioner also questioned whether or not the consent order covers all of the alleged deceptive practices while a user is "on" Facebook, including the privacy representations and practices of "apps" that Facebook knows or should know about.