Online businesses that do not adhere to their own electronic privacy policies increasingly find themselves the target of Federal Trade Commission action. The recent consent decrees inked by the FTC, Facebook, Google, and ScanScout serve to warn business and social networking sites against misleading consumers about how they are using visitors' personal information.
In all three of the settled FTC cases, the agency alleged that the businesses made false or misleading representations about their privacy policies in violation of Section 5(a) of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices. (15 U.S.C. § 45(a).)
In its complaint against Facebook, the FTC alleged that the company did all of the following: Facebook told users that third-party applications that users installed on their computer - such as Farmville by Zynga - would have access only to information necessary for operating the app. In fact, the apps could access nearly all of the users' personal data.
Facebook also told users they could restrict the sharing of their data beyond a limited audience - for example, with "Friends Only." In fact, selecting that option did not prevent their information from being shared also with the third-party applications their friends used.
Facebook had promised users it would not share their personal information with advertisers, but the FTC charged that it did. Also, Facebook claimed that when users deactivated or deleted their accounts, their uploaded photos and videos would no longer be accessible. However, Facebook still allowed access to the content, according to the FTC. (See In the Matter of Facebook, Inc.
, FTC File No. 92-3184.)
, FTC File No. 102-3136 (Dkt. No. C-4336).)
In November 2011 the FTC also reached a settlement with online advertising network ScanScout, which places video ads on websites for advertisers. ScanScout collects information about viewers' online activities in order to post video ads that specifically target them (aka behavioral advertising). The FTC alleged that ScanScout continued to use electronic cookies stored on users' computers to track their behavior even after telling users they could opt out of that practice. (See In the Matter of ScanScout, Inc.
, FTC File No. 102-3185 (Dkt. No. C-4344).)
In each of the FTC settlements, the respondents agreed to do certain things beyond what would have been required in the normal course of business. For example:
- Both Facebook and Google must obtain consumers' affirmative, express consent before enacting changes that override the users' privacy preferences.
- The two companies must also establish and maintain a comprehensive program to address the privacy risks associated with both new and existing products and services and protect the privacy and confidentiality of consumers' information.
- Every two years for the next 20 years, Facebook and Google must obtain independent, third-party audits certifying that their privacy programs meet or exceed the requirements of the FTC order.
- ScanScout, meanwhile, must tell users what information it is collecting from them and for what purpose, and it must advise them of their right to "opt out" of targeted advertising.
Adhering to Section 5(a) of the FTC Act
The above-mentioned consent decrees highlight the need for businesses to act in accordance with their privacy policies.
Businesses should examine how they use or anticipate using personal information, and fully disclose these uses to consumers.
In addition, businesses should take reasonable measures to safeguard consumers' information. To minimize the dangers from cyberhacking, they must conduct an audit of how consumer information is being safeguarded, what information is being stored, and for what duration. (The FTC settled a complaint against Twitter after alleging the company had failed to take reasonable safeguards to protect users' accounts against hacking.)
Similarly, updating these agreements should be routine. This effort should be coordinated between marketing, IT, and legal departments, with each checking off on the accuracy of the updates.
Michelle Sherman is Of Counsel at Slater Hersey & Lieberman in Irvine, and writes the legal blog
Social Media Law Applied.