Facebook has settled charges that it deceived users by breaking its promises to keep their data private, the Federal Trade Commission announced on Friday.
The settlement, proposed in November, requires Facebook to obtain users' express consent before sharing their information more broadly than its privacy policy allowed when users uploaded the data. Facebook also agreed to institute a comprehensive privacy policy and to submit to audits for 20 years. In addition, the company must make sure that no one can access data deleted by users within 30 days of deletion.
The company didn't admit wrongdoing in the case.
The deal resolves an FTC complaint alleging that Facebook repeatedly shared users' data more broadly than they authorized. The best-known example cited by the FTC occurred in December of 2009, when Facebook reclassified a host of data about users as “public” -- including people's names, photos and friend lists. That decision prompted the Electronic Privacy Information Center and other groups to ask the FTC to probe the company.
The FTC's original complaint also alleged that Facebook wrongly allows app developers to access profile information they didn't need, and shared some users' names with advertisers via referrer headers. (Facebook prevailed last year in a lawsuit alleging that it violated people's privacy by sharing their names via referrer headers.)
Commissioner J. Thomas Rosch dissented from the decision to approve the settlement. Rosch said he was concerned that Facebook hadn't admitted to engaging in deceptive practices. "If the Commission allows the respondent to expressly deny that it did engage in that conduct (or to use language that is tantamount to an express denial), there is a questionable basis for us to conclude that that probability exists," he wrote.
Rosch raised the same objection on Thursday to a settlement requiring Google to pay $22.5 million for alleged privacy violations.
Rosch also said he had concerns about whether the settlement with Facebook adequately covered apps with "deceptive information sharing practices." He said he thought the settlement should have clarified that Facebook is responsible when apps that run on its platform mislead users about privacy.