News & Insights  |  Alerts


Practice Areas

FTC Issues Proposed Consent Order in Facebook Privacy Enforcement Action

December 1, 2011

On November 29, 2011, the Federal Trade Commission (FTC or Commission) announced a privacy settlement with Facebook, confirming that companies that fail to comply with their privacy polices face potential liability.  The event serves as a reminder that broadcasters should periodically review their privacy policies to ensure they reflect current practices. 

The Facebook Complaint

The Commission alleged that Facebook violated the FTC Act, which prohibits deceptive and unfair trade practices. The FTC pointed to Facebook's failure to honor consumers' privacy preferences, going so far as to change customers' settings to negate their affirmative privacy choices.  Additionally, the agency alleged that Facebook made material misrepresentations regarding: (a) the ability of third-party applications (apps) to access a consumer's personal information; (b) the extent to which the company shared consumers' personal information with advertisers; and (c) the accessibility of photos and videos of consumers who had terminated their accounts.  Finally, the FTC alleged that Facebook deceptively stated that it complied with the U.S.-E.U. Safe Harbor Framework.

FTC's Proposed Consent Order

While the proposed consent order does not include a monetary fine, it imposes substantial compliance obligations on Facebook.  The company must maintain an elaborate reporting, compliance and assessment framework.  The Commission also required Facebook to hire an independent third-party professional bi-annually for the next 20 years to assess, report and certify that the company's privacy program meets or exceeds the standards specified in the order.

Notably, Facebook must establish and maintain a comprehensive privacy policy addressing "covered information."  The FTC includes in "covered information" several types of data not traditionally considered personally-identifying information, including IP addresses, device numbers and persistent identifiers.  Such data are commonly used in behavioral tracking and online advertising, and the "anonymity" of this information has heretofore been a rationale for a light regulatory touch.  The FTC appears to be asserting a policy that these data driving new media and online advertising are entitled to enhanced privacy protections, and the consent order perhaps represented an opportunity for the FTC to further such a policy. 

What Does this Mean For Broadcasters?

Broadcasters should ensure that their privacy policies reflect their current practices.  Because companies are enhancing their websites with apps, engaging in social media, participating in online advertising ventures, offering mobile applications, and more, an old privacy policy can quickly become stale.  Updating a privacy policy can help avoid the adverse publicity and regulatory scrutiny faced by Facebook and many other companies, both large and small. 

In addition, any broadcasters that have established a presence on Facebook, whether through a page, an app, or an advertising arrangement, will need to understand how the FTC consent decree will affect their activities on the Facebook platform.

* Wiley Rein law clerk, Brandon J. Moss, contributed to this Alert.