Facebook Inc., the world’s biggest social networking site, agreed to settle complaints by the Federal Trade Commission that it failed to protect users’ privacy or disclose how their data could be used.
The proposed 20-year agreement would require Palo Alto, California-based Facebook to get clear consent from users before sharing material posted under earlier, more restrictive terms, the FTC said today in a statement. It would also compel independent reviews of Facebook’s privacy practices.
“Companies must live up to their promises about privacy,” FTC Chairman Jon Leibowitz said on a conference call with reporters. The settlement “will protect consumer choices and ensure they have full and truthful information about their data.”
The settlement is part of an effort to resolve legal issues that could be a distraction as Facebook moves toward an initial public offering, said Francis Gaskins, president of Los Angeles-based IPODesktop.com, a Web site that tracks IPOs. Facebook is considering an IPO that would raise $10 billion and value the company at more than $100 billion, a person familiar with the matter said.
‘Clear the Decks’
“They’re obviously trying to clear the decks to take off,” Gaskins said in an interview, adding that the settlement “should give some comfort” to potential investors.
In a blog posting, Facebook Chief Executive Officer Mark Zuckerberg said the company should have been more vigilant in protecting users’ privacy.
“I’m the first to admit that we’ve made a bunch of mistakes,” he said.
The FTC is stepping up enforcement of privacy requirements at Internet companies and this year has settled complaints with Google Inc. and Twitter Inc.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based advocacy group that filed a complaint against Facebook over privacy issues in 2009, said today’s settlement “is a sweeping order that will prevent Facebook from disregarding the privacy interests of its users in the future.”
It should also should send a message to the Internet industry at large, Maneesha Mithal, associate director of the FTC’s Division of Privacy and Identity Protection, said in an interview.
“The provisions of the order are good practices for all companies to follow,” Mithal said. “Companies should seek permission from consumers before they make changes to how they treat personal information.”
Zuckerberg said the company already has addressed many of the FTC’s concerns. Today he appointed Erin Egan, a former partner at Covington & Burling who specialized in data security, as chief privacy officer, policy, and Michael Richter, the company’s head privacy counsel, as chief privacy officer, products, Zuckerberg said.
The settlement, which the FTC’s commissioners approved 4-0, requires Facebook to establish a “comprehensive privacy program” and block access to a user’s account within 30 days of it being deleted, according to the FTC’s statement. The company also is barred from making any deceptive claims about its privacy practices.
Audits by an independent third party will help build faith in Facebook’s efforts, said Elliot Schrage, a Facebook spokesman.
“Oversight fosters trust by providing users with additional assurances that the commitments we make are being upheld,” he said in an e-mail.
Michael Gartenberg, an analyst at Gartner Inc., a Stamford, Connecticut technology research company, said, “There’s no doubt Facebook and privacy have not gone well together in the past.”
The FTC said Facebook shared users’ personal information with advertisers after promising it wouldn’t. Facebook also pledged it would restrict sharing of information to designated “friends” of users while the data also was accessible to third-party applications used by the friends, the FTC said in the statement.
Facebook assured users that third-party applications only had access to data required for them to function, while, in fact, the applications had access to almost all of a user’s personal information, according to the agency.
The company’s “Verified Apps” program to certify the security of applications didn’t work, the FTC said.
In other FTC actions on Internet privacy, Google Inc. agreed in March to settle claims that the Mountain View, California-based company used deceptive tactics and violated its own privacy policies when it introduced its Buzz social-networking service last year.
That same month, the agency accepted a settlement with Twitter, resolving charges that the San Francisco-based company deceived consumers and put their privacy at risk.
The regulator has said the online-advertising industry’s self-policing effort allowing Internet users to block ads based on their web browsing fails to protect consumers.