November 16, 2011 -

Facebook Flunks Privacy 101

The New York Times reported on November 10 that the Federal Trade Commission (FTC) is nearing an agreement with Facebook to settle an action over “material retroactive changes” to Facebook’s privacy practices.

In December 2009 Facebook changed its privacy practices and publicly exposed information that it had previously told users they could keep private, such as profile photos and friend lists.  Facebook also removed the ability to opt out of certain tools.  In May 2010, after getting egg on its face for its botched attempt to “simplify” its privacy settings, Facebook restored the ability to opt out of some tools as well as the ability to keep certain information private.

While the final settlement deal has yet to be approved, the Times and the Wall Street Journal are reporting that Facebook will be subject to FTC privacy audits for 20 years. (Yikes!)

What’s striking about this dispute is that the FTC has long taken the position that if you make material changes to your privacy policy (by the FTC’s reckoning, a material change is virtually any change in how you collect, use or disclose personal information), it is fine to apply those changes to information collected AFTER the amended privacy policy is posted on your site, but not to information collected BEFORE (unless you obtain the user’s express affirmative consent).  Stated simply, material privacy policy changes cannot be retroactive unless you get real consent.  To do otherwise is an unfair or deceptive trade practice in violation of Section 5 of the FTC Act.  The FTC spelled this out pretty clearly in its guidance of February 2009.

There is a common misconception that as soon as you post a new privacy policy on your site, anything goes so long as it’s disclosed in the new policy.  The FTC’s action against Facebook serves as a reminder that there are still some ground rules.  Complying with the FTC’s policies isn’t difficult – if you want your new privacy policy to apply retroactively, the next time a consumer submits information or processes a transaction on your site, just require them to accept the new policy.  If they don’t, it gets a little more complex (you will need to separate or tag their pre-amendment data to ensure that it remains covered under the old privacy policy), but as a technical matter, this hardly breaks new ground.  In any case, the overwhelming majority of users won’t care and will accept the new policy.  If you really want to be squeaky-clean and privacy-friendly for marketing as well as compliance reasons, send your customers an e-mail notifying them that a new privacy policy is going into effect or post a notice and a brief summary of the key changes in a conspicuous place on your website.

A simple issue with a simple fix … but a costly legal and PR snafu for Facebook.