Facebook has settled Federal Trade Commission charges that it deceived its users and failed to keep their information private, agreeing on Nov. 29 to establish a comprehensive privacy program that includes independent audits for the next 20 years.

The FTC alleged that Facebook violated the FTC Act, which bars unfair and deceptive conduct, by falsely promising consumers that their information would be kept private. “On numerous occasions, Facebook violated its privacy commitments to hundreds of millions of users,” said FTC chairman Jon Leibowitz in a conference call with reporters.

For example, the FTC alleged that Facebook changed its Web site in December 2009 so that previously private information, such as friend lists, were made public without warning users in advance or seeking their approval. Facebook also failed to reveal that third-party apps could access nearly all of users' personal data. Facebook also promised users that it would not share their personal information with advertisers, but did so nonetheless. The company also claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had quit.

The settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

There are no monetary penalties ' the FTC does not have authority under the FTC Act to fine companies for violations. But if Facebook doesn't honor the deal, the company is on the hook for $16,000 per violation per day.

The consent decree also includes no admission of wrongdoing, although FTC founder Mark Zuckerberg in his blog acknowledged that “we've made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done.”

He continued, “Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised.”

Zuckerberg announced the creation of two new corporate offices, naming Erin Egan, who was previously co-chairwoman of the global privacy and data security practice of Covington & Burling, as chief privacy officer for policy. Michael Richter will become chief privacy officer for products. He's currently Facebook's chief privacy counsel on the legal team.

In the FTC case, Facebook was represented by Gibson, Dunn & Crutcher partners S. Ashlie Beringer and M. Sean Royall and general counsel Theodore Ullyot.

---

Jenna Greene writes for The National Law Journal, an ALM affiliate of Internet Law & Strategy. She can be contacted at [email protected].

Facebook has settled Federal Trade Commission charges that it deceived its users and failed to keep their information private, agreeing on Nov. 29 to establish a comprehensive privacy program that includes independent audits for the next 20 years.

The FTC alleged that Facebook violated the FTC Act, which bars unfair and deceptive conduct, by falsely promising consumers that their information would be kept private. “On numerous occasions, Facebook violated its privacy commitments to hundreds of millions of users,” said FTC chairman Jon Leibowitz in a conference call with reporters.

For example, the FTC alleged that Facebook changed its Web site in December 2009 so that previously private information, such as friend lists, were made public without warning users in advance or seeking their approval. Facebook also failed to reveal that third-party apps could access nearly all of users' personal data. Facebook also promised users that it would not share their personal information with advertisers, but did so nonetheless. The company also claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had quit.

The settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

There are no monetary penalties ' the FTC does not have authority under the FTC Act to fine companies for violations. But if Facebook doesn't honor the deal, the company is on the hook for $16,000 per violation per day.

The consent decree also includes no admission of wrongdoing, although FTC founder Mark Zuckerberg in his blog acknowledged that “we've made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done.”

He continued, “Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised.”

Zuckerberg announced the creation of two new corporate offices, naming Erin Egan, who was previously co-chairwoman of the global privacy and data security practice of Covington & Burling, as chief privacy officer for policy. Michael Richter will become chief privacy officer for products. He's currently Facebook's chief privacy counsel on the legal team.

In the FTC case, Facebook was represented by Gibson, Dunn & Crutcher partners S. Ashlie Beringer and M. Sean Royall and general counsel Theodore Ullyot.

---

Jenna Greene writes for The National Law Journal, an ALM affiliate of Internet Law & Strategy. She can be contacted at [email protected].