The Federal Trade Commission (FTC) recently agreed upon a settlement with Facebook, Inc., operator of Facebook.com, regarding the company's privacy practices. In its 8-count complaint, the FTC accused Facebook of several unfair and deceptive practices related to the privacy of user information, including misleading its users about its privacy practices and the extent to which users were able to control the information shared with others through the site. As a result of the settlement, Facebook will have to be more up front about its privacy practices and cannot make retroactive changes to its privacy settings without consent from its users.

The FTC's first argument against Facebook was that it provided misleading information to users regarding their control of their own information. In this regard, the FTC made several explicit charges against the social media provider. First, the FTC accused Facebook of failing to notify users that certain privacy settings did not hide all information that users would think was hidden and thus misled users as to the extent of control they had over their information. For example, despite privacy settings limiting the visibility of a user's "Friends List," such information was still visible through third-party applications used by their friends. Second, the FTC accused Facebook of making retroactive changes to its privacy settings without obtaining consumer consent. Essentially, this means that the FTC alleged that Facebook changed its privacy policy – sometimes in ways that were material – and enforced those changes against all of its current users without requiring the users to consent tothe change. Third, Facebook continued to provide third parties with access to deactivated accounts—including photographs and videos—despite indications that those user profiles would no longer be visible.

The FTC's second argument involved the applications on the site. The FTC claimed that these applications, such as third party platforms used for games, advertisements, and promotions, were provided with more information than necessary. This was a contradiction to Facebook's statement in its privacy policy, which stated that Facebook would only disclose as much user information to the application owners as they needed to operate. Likewise, Facebook was accused of sharing information with advertisers despite representations that such information was not being shared. The FTC also accused Facebook of suggesting that certain applications had been through more extensive security vetting than others by providing them with permission to display a "Verified Apps badge" where many of those applications had not been reviewed any more than other applications operating on the site.

Finally, the FTC accused Facebook of falsely self-certifying itself to the Department of Commerce despite its failure to adhere to the U.S. Safe Harbor Privacy Principles, including the principles of Notice and Choice, as part of the U.S.-E.U. Safe Harbor Framework that allows U.S. companies to transfer consumer information outside of the European Union.

As part of the settlement, Facebook is prohibited from misrepresenting the extent to which it protects consumer information, especially with respect to the practices described in the counts listed above. Facebook must also clearly inform users about its data disclosure practices and delete user information within 30 days of the time that a user deactivates an account. In addition to requiring more privacy controls, the FTC has also imposed auditing and reporting requirements to ensure compliance.

All website operators collecting user information should be aware of the FTC's settlement with Facebook as it is a sign of the FTC's views on data collection and privacy policies. For one, it shows the FTC's preference for privacy by design, whereby privacy considerations are built into a company's business model and companies have individuals and programs designated to protect consumer information. It is also an indication of the importance of ensuring that a company's privacy policy is accurate, and that consumers consent to any material changes to the policy. Failure to adhere to a company's own privacy policy can lead to an action by the FTC based on unfair and deceptive business practices.

Arent Fox is continuing to monitor issues related to privacy. Please contact Anthony V. Lupo, Sarah L. Bruno, orEva J. Pulliam with questions.