Advisory: Facebook Enters Settlement with FTC Over Deceptive Privacy Practices

November 29, 2011

On November 29, 2011, Facebook, Inc. (“Facebook”) agreed to settle charges before the Federal Trade Commission (“FTC”) of deceptive privacy practices.

The eight-count FTC complaint alleges that Facebook engaged in a number of false or misleading representations, and unfair and deceptive acts or practices.  Some of the counts stem from December 2009 changes Facebook made to its privacy policy, eliminating users’ ability to restrict access to certain profile information, hide Friend Lists, and opt out of having their profiles be discoverable on Facebook.  The FTC alleges that Facebook did not adequately disclose the nature of these changes, and that Facebook’s claim that the changes provided users with “more control” over their information was deceptive.  Likewise, the FTC alleges that, by implementing these changes, Facebook made public, without users’ informed consent, information that users had previously made private, constituting an unfair act or practice.

Other counts in the complaint arise from alleged misrepresentations, including that:

  • Users could restrict access to certain user information, including birthday, hometown, education, and employment;
  • Facebook would not share users’ personal information with advertisers;
  • Facebook reviewed the security of applications for its “Verified Apps” program;
  • Third-party apps would have access to only the information needed to operate;
  • Users’ information, including photos and videos, would be inaccessible after users deactivated or deleted their accounts; and
  • Facebook was in compliance with the U.S.-EU Safe Harbor framework.

According to the settlement, these statements were false.

The proposed consent order requires Facebook to (1) refrain from making any further misleading or deceptive representations regarding users’ privacy; (2) obtain express user consent before overriding users’ privacy preferences or otherwise changing the way it uses user information; and (3) submit to regular privacy audits by an independent third party every two years for the next 20 years.

The proposed settlement is substantially similar to the settlement earlier this year between the FTC and Google.  Most significantly, the FTC again requires implementation of a comprehensive privacy program with ongoing audit requirements.  The FTC described those conditions in relation to the Google settlement as “good business practices” the FTC would “expect to see widely followed across the industry.”  The proposed consent decree with Facebook suggests the FTC will continue imposing such practices in future settlements involving privacy issues.  Several members of Congress, including Sens. Jay Rockefeller (D-W.Va.) and John Kerry (D-Mass.), and Reps. Ed Markey (D-Mass.), Joe Barton (R-Texas), and Anna Eshoo (D-Calif.), have issued approving statements regarding the FTC’s settlement.

The consent order is open for comments from the public until December 30, 2011.

For more information regarding the consent order, or Wiltshire & Grannis’ privacy practice, please contact John Nakahata, Brita Strandberg, Paul Margie, Rob Carter, Madeleine Findley or Kristine Devine.



At HWG, we’re always looking for smart, talented people to add to our team.


  • 1919 M Street NW, Eighth Floor
    Washington, DC 20036-3537
  • 1033 Wade Ave, Suite 100
    Raleigh, NC 27605-1155