Facebook founder Mark Zuckerberg, in a company blog post outlining an agreement with the FTC over charges that Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”
Says the FTC:
The proposed settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
And Zuckerberg said in his blog post:
Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised. For example, their complaint to us mentioned our Verified Apps Program, which we canceled almost two years ago in December 2009. The same complaint also mentions cases where advertisers inadvertently received the ID numbers of some users in referrer URLs. We fixed that problem over a year ago in May 2010.
In addition to these product changes, the FTC also recommended improvements to our internal processes. We’ve embraced these ideas, too, by agreeing to improve and formalize the way we do privacy review as part of our ongoing product development process. As part of this, we will establish a biannual independent audit of our privacy practices to ensure we’re living up to the commitments we make.
Zuck goes on to say that he’s established “two new corporate officer roles” to ensure privacy concerns continue to be addressed. Erin Egan has been named Chief Privacy Officer, Policy; Michael Richter has been named Chief Privacy Officer, Products.
The FTC’s list of complaints consists of eight items alleging, among other things, that Facebook made private information public after updating parts of the site, allowed unnecessary data to be accessed by certain apps, didn’t successfully verify the security of certain apps, shared data with advertisers when it said it wouldn’t, failed to delete users’ videos and photos upon account deletion, and failed to comply with the Safe Harbor Framework for data transfer between the U.S. and the European Union.
The settlement subjects Facebook to third-party privacy audits every two years for the next 20 years, requires the site to get users’ consent when implementing site changes that override privacy settings, and requires user data to be deleted within 30 days of accounts being closed.