When Facebook changed its default privacy settings in late 2009 and changed the way profile information was shared in April 2010, many privacy advocates alleged that the social networking site had run afoul of the FTC's rules for material changes to a privacy policy. While Facebook's actions are irksome, did they actually break any laws under U.S. privacy regulations?
In April 2010, Facebook altered the way profile information would be shared. If a user chose to not link certain profile information with the corresponding Facebook Page, portions of the profile were initially deleted, rather than allowing users to maintain "text" entries listing their likes, interests and biographical information. Privacy and consumer protection organizations subsequently filed a formal complaint with the FTC on May 5, 2010, alleging deceptive trade practices and violations under consumer protection laws. This recent complaint is in addition to an earlier complaint filed in December 2009 after changes in privacy settings. Both are led by the Electronic Privacy Information Center, or EPIC, and joined by a number of other organizations.
Privacy law is somewhat fractured under U.S. law, where there is no general statute governing the collection and sharing of data from users online. Privacy law in the U.S. is generally less restrictive than in other countries, including the European Union countries, and in many cases, applies only to specific facts involving minors or the obligations of financial institutions.
The recent complaints, however, have approached the violations under consumer protection laws governing unfair and deceptive trade practices. Under that theory, a material change to a privacy policy can constitute an unfair and deceptive trade practice when done without the user's consent. The complaints allege that changes implemented by Facebook without users' consent "violate user expectations, diminish user privacy, and contradict Facebook's own representations."
There is no doubt that the increasing concern has also brought the issue of privacy to the forefront for lawmakers as well. In April, New York Senator Chuck Schumer proposed to the FTC that it use its authority to examine Facebook's practices or appoint a privacy commissioner, and joined with other Democrat Senators in a letter to the Facebook CEO, imploring that the company make its privacy practices more transparent. More recently, the House Judiciary Committee has asked that Facebook cooperate with its inquiries into Facebook's privacy practices. As a result, the recent controversy has the potential to significantly affect the landscape of privacy law in the United States in the future.
A decision from the FTC may not come any time soon, but the recent May complaint also comes on the heels of a security breach that enabled users to view others' private chats, and allowed users' private data to be sent to advertisers by mistake. In response to the growing concern that Facebook defaults to revealing private information rather than protecting it, Facebook recently revealed a simplified method for users to control their privacy settings, in which users are provided with three basic options—to share certain information with anyone, with "friends of friends", or with the user's friends only. Facebook's default "recommended" settings share some information, like user's name, gender and profile photo with anyone; make user's photos accessible to "friends of friends;" and restrict access to user's contact information to "friends only." Criticism continues over the amended approach, reiterating that the "recommended" option should always be the most stringent settings, however Facebook asserted that the site's primary focus is establishing and facilitating "connections" and has maintained that Facebook is devoted to protecting users' privacy. It remains to be seen whether the FTC complaints will be found to have merit, or whether these recent changes will be enough to satisfy users and keep Facebook a leader in social networking.
Vol. 53, June 2010