Earlier today, the Federal Trade Commission announced a settlement with Facebook over allegations that the social network operator deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly expanding that which is shared and made public. We are heartened to see that many of the provisions of the settlement are in alignment with the Bill of Privacy Rights for Social Network Users that EFF proposed in May 2010.
Under the proposed settlement (PDF), Facebook is:
- barred from making misrepresentations about the privacy or security of consumers' personal information;
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material no more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
Many of these provisions are similar to EFF’s proposed Bill of Rights, in which we outlined three basic principles that all users should expect from a social networking service:
- The right to informed decision making;
- The right to control over the use and disclosure of their data; and
- The right to leave a service.
It’s good to see the FTC and Facebook reach an agreement that will help uphold the rights of users in ways we’ve long recommended. As we explained in the Bill of Rights, “When the service wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user.” The requirement for “affirmative express consent” adopts this opt-in procedure. Likewise, the settlement’s requirement to prevent access to deleted data helps implement a more effective right to leave. While there is more in our Bill of Privacy Rights, these are postive steps.
It remains to be seen whether the 20-year privacy audit provision will be useful. An audit alone does not ensure privacy, and the auditors will be looking at a very high-level policy view of Facebook’s practices. The real test of whether the audits are successful will be whether Facebook is able to keep out of privacy hot water.
Other social sites should use this settlement as an opportunity to closely examine their own practices when it comes to safeguarding the private data of users. And this doesn’t necessarily mean paying a third-party auditor to review one’s privacy practices. It means making sound decisions about collecting and using personal information of users to ensure their privacy expectations aren’t violated, and then holding true to those commitments when it comes to respecting their privacy choices.
Today, Facebook’s CEO Mark Zuckerberg defended Facebook’s practices, but admitted that the company “made a bunch of mistakes” along the way. Other social services can learn from these mistakes.
By taking active steps to honor the privacy choices of users from the beginning, companies seeking to implement social features can avoid the privacy pitfalls that can lead to public relations disasters and lengthy proceedings with regulatory agencies. The EFF Bill of Privacy Rights for Social Network Users can serve as a roadmap to developing privacy practices that a responsible social network service should provide to its users