Archives

All Posts Tagged Tag: ‘privacy’

Facebook Settles FTC Privacy Complaint

Facebook has agreed to settle FTC charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The eight-count complaint charges that the claims were unfair and deceptive, and violated federal law.

Similar to the recent Google Buzz privacy settlement, the proposed Facebook settlement requires the social networking company to take specific steps to ensure it lives up to its privacy promises, including giving consumers clear and prominent notice and obtaining the user’s express consent before their information is shared beyond the privacy settings the user has established.

Facebook also will be required, for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, as well as to ensure that the privacy of consumers’ information is protected.

The proposed settlement also

  • bars Facebook from making misrepresentations about the privacy or security of user’s personal information.
  • requires Facebook to obtain a user’s express consent before effecting changes that override their privacy preferences.
  • requires Facebook to prevent anyone from accessing a user’s material more than 30 days after the user has deleted the account.
  • requires Facebook to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of users’ information.
  • requires Facebook within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

Among the instances cited in the complaint where allegedly made promises that it did not keep:

  • In December 2009, Facebook made changes that allowed made public certain information that users may have designated as private without warning users of the change or getting their approval in advance.
  • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
  • Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
  • Facebook promised users that it would not share their personal information with advertisers when in fact, it did.

FTC Gives Final Approval to Google Buzz Settlement

The FTC has approved the settlement with Google regarding the FTC complaint that Google used deceptive practices and violated its own privacy policy when it launched Google Buzz.

The settlement bars Google from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information.

FTC Charges Deceptive Privacy Practices in Google's Rollout of Buzz

Google Inc. has agreed to settle an FTC complaint that it used deceptive tactics and violated its own privacy policy when it launched the Google Buzz social network last year.  In addition to alleged FTC privacy violations,  this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.

The settlement agreement bars the Google from future privacy misrepresentations, requires it to implement a comprehensive privacy program and includes regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information.

According to the FTC complaint, on the day Buzz was launched through the Gmail service, users got a message announcing the new service and were given two options: “Sweet! Check out Buzz,” and “Nah, go to my inbox.” However, some Gmail users who clicked on “Nah…” were enrolled in certain features of the Google Buzz social network anyway. For those Gmail users who clicked on “Sweet!,” the FTC alleges that they were not adequately informed that the identity of individuals they emailed most frequently would be made public by default. Google also offered a “Turn Off Buzz” option that did not fully remove the user from the social network.

When Google launched Buzz, its privacy policy stated that “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” The FTC complaint charges that Google violated its privacy policies by using information provided for Gmail for another purpose – social networking – without obtaining consumers’ permission in advance.

The agency also alleges that by offering options like “Nah, go to my inbox,” and “Turn Off Buzz,” Google misrepresented that consumers who clicked on these options would not be enrolled in Buzz. In fact, they were enrolled in certain features of Buzz.

The complaint further alleges that a screen that asked consumers enrolling in Buzz, “How do you want to appear to others?” indicated that consumers could exercise control over what personal information would be made public. The FTC charged that Google failed to disclose adequately that consumers’ frequent email contacts would become public by default.

Finally, the agency alleges that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor privacy framework. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The complaint alleges that Google’s assertion that it adhered to the Safe Harbor principles was false because the company failed to give consumers notice and choice before using their information for a purpose different from that for which it was collected.

You can read the settlement agreement, as well as the original complaint and accompanying exhibits on our Web site.