Social Networks and Privacy: Learning from Facebook’s Mistakes

Observers of Internet trends often pronounce that privacy is a fiction and that it is futile to try to reclaim it. Whether that perspective is correct or not does not matter when faced with a Complaint issued by the Federal Trade Commission (FTC). The Facebook Complaint and Consent Order recently issued by the FTC provide valuable lessons for how to stay out of the FTC’s crosshairs. Internet attorneys, businesses, consultants and advisors should study what the FTC views as deceptive in order to make necessary adjustments to business plans and operations.

In the U.S., there is no federal law that requires a website to have a privacy policy. However, California requires any website that collects personally identifiable information from California residents to have a privacy policy. Therefore, in practice, based upon the California law, most websites would be required to have a privacy policy. As far as the FTC is concerned (which operates on the federal level), there is no absolute requirement to have a privacy policy, but if a website does have a privacy policy, failure to comply with the policy will be considered a deceptive practice in violation of the FTC Act. As will be explored below, the FTC is not shy at splitting hairs, in search of deceptive practice claims.

Below is a discussion of some of the more significant and relevant claims of deceptive practices alleged by the FTC Complaint. It should be noted that in the FTC Consent, Facebook denied all allegations.

1.Facebook privacy pages offered options to restrict profile information to “Only Friend” or “Friends of Friends”. However, even when such options were selected, Facebook often still provided profile information to an application that a Friend was using on their Facebook page. Such information included a user’s birthday, hometown, activities, interests, status updates, marital status, education (e.g., schools attended), place of employment, photos, and videos. Even though Facebook allowed users to restrict this access through other pages, Facebook nevertheless represented, according to the FTC, either expressly or by implication,  that access could be limited to “Friends” or “Friends of Friends” on the Profile Privacy Page, and did not indicate that further actions would be required to restrict access to applications of friends.

LESSON: As seen by the above claim, a disconnect between the Privacy Policy and the technical personnel implementing strategies can result in a claim by the FTC for deceptive practices. Furthermore, statements in a Privacy Policy must be vetted to verify that they do not claim, or appear to claim, a higher level of privacy than is actually provided.

2. In November, 2009, Facebook changed its privacy policy to designate certain user information as “publicly available” which change applied retroactively to information provided by users prior to the change. For instance, many users selected privacy settings to (i) restrict profile information from applications used by a Friend, (ii) restrict their Friends List, and (iii) restrict access to profile pictures and pages from users using the “search” function . To implement the privacy changes, Facebook required each user to click through a multi-page notice, known as the “Privacy Wizard.” According to the FTC, the Privacy Wizard did not disclose adequately that users no longer could restrict access to the newly-designated publicly available information via their profile privacy settings or that their existing choices to restrict access to such information via these settings would be overridden.

The FTC alleged that the Privacy Wizard, either explicitly or by implication, indicated that users would have “more control” over their privacy settings, above the prior settings. Which the FTC claimed was not the case. Facebook did not adequately explain that the new changes overrode prior settings as to name, profile picture, gender, friend list, pages, or networks. The FTC claimed that Facebook’s failure to adequately disclose these facts, in light of the representations made, constituted a deceptive act or practice.

LESSON: Changes were made retroactively to prior privacy settings without informed consent, amounts to an unfair act or practice. The FTC requires that (i) material changes to a Privacy Policy be conspicuously disclosed, (ii) users affirmatively opt-in to material changes that affect personally identifiable information previously collected, and (iii) material changes to Privacy Policies be explained clearly and truthfully.  As a note, the simplest way to obtain affirmative consent is the next time a user comes to the website, he or she is directed to an explanatory process and given the option to consent to the new changes.

3. The FTC Complaint states numerous examples of statements from Facebook that even though non-identifiable information is shared with advertisers so that they can provide advertisements targeted to the particular user, personally- identifying information is never provided to an advertiser without prior consent of the user. However, the FTC noted that if ads were clicked, then Facebook would provide to the advertiser a unique ID that Facebook assigns to each user. Apparently, advertisers could use the ID to identify the person. Then they could match criteria that they had selected for serving ads to that person. (e.g., if the ad targeted 23-year-old men who were “Interested In” men and “liked” a prescription drug, the advertiser could ascribe these traits to a specific user), plus the date, time and ad visited. Over time additional traits could be identified.

LESSON: This Claim is the easiest to understand and comply with. Personally identifiable information can only be disclosed as set forth in a Privacy Policy or in a manner otherwise consented to by the user.

BOTTOM LINE: Privacy Policies must be carefully drafted, and be clear and accurate. Management and technical personnel should review and confirm the contents of the Privacy Policy. Privacy Policies should be regularly reviewed to verify that procedural or technical changes are reflected in the Privacy Policy. Material changes to a Privacy Policy that affect previously collected personal user information require affirmative consent from the users. As a result of the FTC Consent, Facebook is now subject to detailed scrutiny and reporting for the next 20 years. It’s important to keep up with changing Internet laws.

By William S. Galkin, Esq. | December 18, 2011



Share This Story, Choose Your Platform!

William Galkin manages GalkinLaw. Mr. Galkin has dedicated his legal practice to representing Internet, e-commerce, computer technology and new media businesses across the U.S. and around the world. He serves as a trusted adviser to both startup and multinational corporations on their core commercial transactions.


Subscribe to Blog Updates