The FTC alleged that Facebook violated the FTC Act, which bars unfair and deceptive conduct, by falsely promising consumers that their information would be kept private. “On numerous occasions, Facebook violated its privacy commitments to hundreds of millions of users,” said FTC chairman Jon Leibowitz in a conference call with reporters.
For example, the FTC alleged that Facebook changed its Web site in December 2009 so that previously private information, such as friend lists, were made public without warning users in advance or seeking their approval. Facebook also failed to reveal that third-party apps could access nearly all of users' personal data. Facebook also promised users that it would not share their personal information with advertisers, but did so nonetheless. The company also claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had quit.
The settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
There are no monetary penalties ' the FTC does not have authority under the FTC Act to fine companies for violations. But if Facebook doesn't honor the deal, the company is on the hook for $16,000 per violation per day.
The consent decree also includes no admission of wrongdoing, although FTC founder Mark Zuckerberg in his blog acknowledged that “we've made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done.”
He continued, “Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised.”
Zuckerberg announced the creation of two new corporate offices, naming Erin Egan, who was previously co-chairwoman of the global privacy and data security practice of Covington & Burling, as chief privacy officer for policy. Michael Richter will become chief privacy officer for products. He's currently Facebook's chief privacy counsel on the legal team.
In the FTC case, Facebook was represented by Gibson, Dunn & Crutcher partners S. Ashlie Beringer and M. Sean Royall and general counsel Theodore Ullyot.
Jenna Greene writes for The National Law Journal, an ALM affiliate of Internet Law & Strategy. She can be contacted at [email protected].
The FTC alleged that Facebook violated the FTC Act, which bars unfair and deceptive conduct, by falsely promising consumers that their information would be kept private. “On numerous occasions, Facebook violated its privacy commitments to hundreds of millions of users,” said FTC chairman Jon Leibowitz in a conference call with reporters.
For example, the FTC alleged that Facebook changed its Web site in December 2009 so that previously private information, such as friend lists, were made public without warning users in advance or seeking their approval. Facebook also failed to reveal that third-party apps could access nearly all of users' personal data. Facebook also promised users that it would not share their personal information with advertisers, but did so nonetheless. The company also claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had quit.
The settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
There are no monetary penalties ' the FTC does not have authority under the FTC Act to fine companies for violations. But if Facebook doesn't honor the deal, the company is on the hook for $16,000 per violation per day.
The consent decree also includes no admission of wrongdoing, although FTC founder Mark Zuckerberg in his blog acknowledged that “we've made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done.”
He continued, “Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised.”
Zuckerberg announced the creation of two new corporate offices, naming Erin Egan, who was previously co-chairwoman of the global privacy and data security practice of
In the FTC case, Facebook was represented by
Jenna Greene writes for The National Law Journal, an ALM affiliate of Internet Law & Strategy. She can be contacted at [email protected].
This premium content is locked for LawJournalNewsletters subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN LawJournalNewsletters
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already have an account? Sign In Now
For enterprise-wide or corporate access, please contact Customer Service at [email protected] or call 1-877-256-2473.
NOT FOR REPRINT
© 2026 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Continue Reading
Letter Agreement Between Landlord and Tenant Did Not Extinguish GuarantyTreble Damage Award Upheld; Landlord Failed to Establish Overcharge Was Not WillfulDenying Access to Landlord Constituted Breach Entitling Landlord to PossessionTenant Entitled to Yellowstone Injunction With Respect to Taxes and Sewer Charges
New York is one of the first states to adopt laws to regulate artificial intelligence use in advertising and to strengthen post-mortem publicity rights regarding AI-generated replicas and “synthetic performers.” Given the state’s role as a bellwether for consumer-protection and advertising regulation, these new laws, combined with the state’s broader AI legislative framework, represent a shift toward transparency, consent and accountability.
State app store age verification regimes do more than reallocate responsibility between platforms and developers. They create a new data supply chain for age knowledge, one that can move COPPA questions from “do we ask age?” to “what do we do when the platform tells us?” The teams that handle this best will treat platform age signals as sensitive compliance inputs: minimize them, tightly control where they flow, and design product behavior so that minors do not trigger unnecessary collection or disclosure.
The firms leading right now chose to ask what would become possible if they managed the entire revenue lifecycle — from invoice generation to cash receipt — in one place, and what AI could actually accomplish with complete data instead of partial feeds. That is the Power of One.
A recent decision from the U.S. District Court for the Southern District of New York (SDNY), United States v. Heppner, has generated outsized commentary suggesting that the use of generative AI tools may jeopardize attorney-client privilege. A closer reading shows something far less dramatic.
