News & Insights  |  Newsletters

FTC Settlement with MySpace Provides a Reminder on Privacy Basics

June 2012

The social networking website MySpace may have faded from its former glory, but it is still up and running with some 25 million users.  Its decline, however, did not prevent it from coming into the crosshairs of the Federal Trade Commission (FTC).  As a consequence, the FTC and MySpace recently reached a settlement for violating its own privacy policy.

The Policy and Violation

MySpace's error was simple, but an instructive reminder of the fundamental need to make sure that a company's privacy policy accurately describes its practices and that its practices conform to the policy.  MySpace users create online profiles containing a wide range of personal information and are assigned a persistent unique profile, called a "Friend ID."  MySpace's privacy policy promised that it would not share a user's personally identifiable information (PII), or use such PII in a manner inconsistent with the purpose for which the user provided it, without prior notice to and consent from the consumer.  MySpace's privacy policy also said that users would not be identified to third-party advertisers, nor would it share a user's non-anonymized browsing activity.  Finally, MySpace represented that it complied with the requirements of the U.S.-EU Safe Harbor Framework to facilitate data transfers from the European Union.

Although these promises are fairly common to many websites, the FTC alleged that MySpace did not in fact live up to them.  The major problem cited by the FTC was that MySpace gave third-party advertisers the Friend ID of users viewing particular pages.  Those advertisers, in turn, easily could use the Friend ID to visit the user's MySpace profile to collect all publicly available PII that the user has posted (and the default setting made real names publicly available).  In addition, by combining the Friend ID with tracking cookies, advertisers could develop a broader history of the user's web-browsing activity.  While none of these practices per se violated federal law, each of them violated MySpace's own published privacy policy, because the Friend ID and PII were transferred without informing consumers or obtaining consent.  And that constituted a deceptive trade practice in violation of Section 5 of the FTC Act. 

In addition, the FTC alleged that MySpace's action violated its obligation under the U.S.-EU Safe Harbor Privacy Principles to give consumers notice of how their information will be used and the choice to opt out.  Failing to comply with the commitments one makes when self-certifying Safe Harbor compliance also is a violation of Section 5. 

Consent Order Requirements

Rather than litigate, MySpace's new owners chose to settle.  As in previous FTC Section 5 enforcement actions against prominent Internet firms such as Google, Facebook and Twitter, MySpace will operate for many years under a consent decree.  The settlement will require MySpace to take a number of steps easily recognizable to anyone familiar with those previous settlements. 

In particular, the agreement will require MySpace not to make any further misrepresentations of its privacy practices.  It also specifies steps intended to prevent future problems.  These include the creation of a comprehensive privacy program designed to identify and address privacy risks related to MySpace's services, and to protect the confidentiality of personal information.  Among the actions required are the designation of an employee or employees to coordinate and be responsible for the privacy program, to identify reasonably foreseeable risks to privacy, to implement reasonable privacy controls to address those risks, and to undergo privacy audits every two years for the next 20 years. 

Even if its luster has dimmed in recent years, MySpace still has some 25 million users, so the FTC's action does serve to protect the privacy interests of a large number of people.  More importantly, however, the FTC often uses enforcement actions and settlements to send a message to the larger industry.  Here, the message-make sure that you do what you say and say what you do-should remind all businesses that it would be a good idea to review their websites and privacy policies to ensure that they remain accurate. 

When was the last time your company reviewed its practices to verify that they conform to its privacy policy?