The recent consent decrees that the FTC entered into with Facebook, Google and online advertiser ScanScout highlight the need for businesses to make sure they are acting in accordance with their privacy policies. Businesses are well advised to take the following actions:
(2) Examine how the businesses are using personal information or anticipate using it, and that these uses are being fully disclosed to consumers; and
(3) Take reasonable measures to safeguard consumer information. Because of the risks of cyberhacking, it is also worthwhile to conduct an audit on how consumer information is being safeguarded, and what information is being stored and for how long a period. The FTC settled a complaint against Twitter for its alleged failure to take reasonable safeguards to protect users' accounts against hackers.
In all of these complaints, the FTC alleged that the respondents made false or misleading representations about their privacy policies in violation of Section 5(a) of the FTC Act. The FTC Act prohibits unfair or deceptive acts or practices. 15 U.S.C. § 45(a).
The consent decrees entered into by Facebook, Google and ScanScout in order to avoid more costly litigation and possibly stiffer penalties are similar in some key respects, and include some terms that will increase their costs of doing business. As is sometimes the case with the FTC, the FTC conditioned the settlements on these businesses agreeing to change their business practices in ways that may place them at a competitive disadvantage to their competitors because some of the additional privacy measures they must now take are not required under current law.
2. Lessons To Be Learned From The FTC Settlements With Facebook And Others
It is instructive to know how these businesses allegedly violated the terms of their privacy policies with users because the same may be true for many companies.
(a) Facebook Complaint
In its complaint against Facebook, the FTC alleged:
(1) Facebook told its users that third-party apps that users installed – such as Farmville by Zynga– would have access only to user information that they needed to operate. In fact, the apps could access nearly all of the users' personal data.
(2) Facebook told users that they could restrict sharing of data to limited audiences – for example, with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with the third-party applications their friends used.
(3) Facebook promised users it would not share their personal information with advertisers. Facebook did according to the FTC.
(4) Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible, when in fact Facebook allowed access to the content according to the FTC.
(5) Facebook also claimed that it complied with the U.S. – EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union, but it did not.
(b) Google Complaint
Google is also faulted for making use of its users' data in ways that was contrary to what Google was telling users about the launching of Google's Buzz social network through its Gmail web-based email product. The FTC alleged that "Google led Gmail users to believe that they could choose whether or not they wanted to join the [Buzz] network, [but] the options for declining or leaving the social network were ineffective." Google was apparently trying to immediately ramp up its social network in order to compete with Facebook. The Buzz launch ended up being a public relations nightmare for Google with thousands of consumers reportedly complaining that they were concerned about public disclosures of their email contacts from which Google tried to create immediate Buzz connections for users. In some cases, use of the emails disclosed ex-spouses, therapists, employers or competitors.
(c) Online Advertiser ScanScout Complaint
In the ScanScout action, the company Tremor Video, Inc. is also subject to the settlement order because ScanScout merged with Tremor Video. This settlement also highlights the importance of doing an audit of a target company's social media activity before acquiring or merging with it so your company will have more information concerning the legal risks of the deal.
In each of these cases, the FTC is making the settling party do some things that are more than they would have been required to do in the normal course of business, thereby, making it more challenging and expensive for them to do business.
These consent decrees require the settling party to do the following:
(1) Tell users what information is being collected and for what purpose, with the right to "opt out" of the targeted advertising (ScanScout);
(2) Obtain consumers' affirmative express consent before enacting changes that override their privacy preferences (Facebook; Google);
(3) Establish and maintain a comprehensive privacy program to address privacy risks associated with new and existing products and service, and protect the privacy and confidentiality of consumers' information (Facebook; Google); and
(4) Every two years, for the next 20 years, obtain independent, third party audits certifying that the privacy program meets or exceeds the requirements of the FTC order (Facebook; Google).