Facebook has settled with the Federal Trade Commission over allegations that it has been deceptive about the amount of privacy users have on the social networking site. The company has also internally established two executives with the title of “Chief Privacy Officer” — one supervising policy and one supervising products — to oversee its privacy commitments.
The settlement is in response to an eight-count FTC complaint charging that Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”
The deal, which was announced by the FTC and Facebook on Tuesday, does not appear to have any monetary charges attached to it. Instead, Facebook has agreed to take a number of concrete steps to bolster privacy and make its operations more transparent to users.
Not surprisingly, Facebook appears keen to put the FTC incident in the past. CEO Mark Zuckerberg on Tuesday addressed the settlement with a lengthy company blog post in which he noted that it is “a similar agreement” to those the FTC has previously reached with Google and Twitter. He also said Facebook has been proactive in bolstering privacy prior to today’s announced settlement with a number of product updates enacted in the past 18 months.
Even so, Zuckerberg has appointed two people to serve in the roles of “Chief Privacy Officer” at the company to ensure that it upholds privacy standards going forward. Erin Egan, who was previously the company’s Director of Privacy, will serve as CPO of Policy, and Michael Richter, previously Chief Privacy Counsel, will serve as CPO of Product. The last person to hold the Chief Privacy Officer title at Facebook was Chris Kelly, who left the company in March 2010 to run for Attorney General of California; he did not win the election.
As part of the FTC settlement, Facebook is officially now:
- barred from making misrepresentations about the privacy or security of consumers’ personal information;
- required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.