Response Magazine Site Response Expo Site Direct Response Market Alliance Site Job Board


   Log in

What the FTC's Facebook Privacy Settlement Means for Marketers

6 Dec, 2011 By: Linda A. Goldstein

The Federal Trade Commission (FTC) recently announced a major settlement with Facebook resolving allegations that Facebook failed to honor some of the promises contained in its privacy policies regarding data collection and sharing practices.

The FTC complaint cited a number of instances in which Facebook allegedly failed to honor the terms of its privacy policy, including:
1. In December 2009, Facebook changed its website so that some information that users had previously designated as private was made public. The FTC objected to the fact that Facebook did not provide notice of this change or obtain consumer consent.
2. Facebook represented that third-party apps would only have access to user information that was necessary to operate the app. Instead, the apps were able to access nearly all of the user’s personal data.
3. Facebook told users they could restrict sharing of data to limited audiences by setting the privacy designation to “Friends Only,” but that did not prevent the information from being shared with third-party apps that their friends used.
4. Facebook shared users’ personal information with advertisers even though its privacy policy said that it did not.
5. According to the FTC, Facebook claimed that when users deactivated or deleted their accounts their photos and videos would be deleted. However, this did not happen.

The consent order prohibits Facebook from making any misrepresentations about how it will treat consumers’ personal information in the future and requires it to provide notice of any material changes to its policies and to obtain the consumer’s affirmative express consent before making any changes that would override the consumer’s privacy preferences, among other restrictions.

As the FTC stated in its press release announcing the settlement, “This complaint is part of the agency’s ongoing effort to make sure companies live up to the privacy promises they make to American consumers.” Before drafting any privacy policy it is important to consider very carefully what information you intend to collect and how you intend to do it. The FTC does not mandate what your privacy policy has to say, but it does require that you do in practice what you say in your policy.

This order also reiterates the FTC’s long-held position that if there are going to be material changes to a privacy policy, they cannot be made unilaterally. Consumers must be provided notice of the changes in a manner separate from the privacy policy itself and if the changes are material, the consumer’s affirmative consent should be obtained.

Finally, the order defines personal information to include not just name and address, but E-mail address, IP address, photos, videos, screen names, mobile or other telephone numbers, and physical locations – consistent with the FTC’s broad approach to the definition of personal information.

Marketers should also beware that some of the offenses cited by the FTC resulted from the collection of information through third-party apps rather than directly by Facebook. Marketers would be well advised to verify what information is being collected by any third-party apps or services being used in connection with their services, how they will be used, and to disclose this information in their privacy policies.

Linda Goldstein is chair of the Advertising, Marketing and Media division of Manatt, Phelps & Phillips LLP, based in the firm’s New York office. She can be reached at (212) 790-4544 or [email protected].

Add Comment