The FTC’s recent settlement with Myspace continues the FTC’s enforcement policy of holding online social networking companies to the promises in their privacy policies. On May 8, 2012, the FTC announced that it reached a settlement with Myspace concerning the FTC’s charges that Myspace failed to maintain the privacy and confidentiality of users’ personal information as represented in Myspace’s privacy policy. The FTC’s charges were premised largely on Myspace’s failure to safeguard the unique identification number or “Friend ID” that Myspace assigns to each Myspace account. The Friend ID can be used to access a user’s basic profile information, such as his or her name, age, and gender, and possibly additional personal information depending on the user’s account settings. Myspace’s privacy policy represented that it would not share users’ personally identifiable information without providing notice and obtaining users’ consent. Myspace further represented that the information that it used to customize ads would not individually identify users to third parties and would not share non-anonymized browsing activity.
Contrary to these representations, however, the FTC charged that Myspace provided advertisers with the Friend IDs for users who accessed particular pages on its site. Advertisers could use the Friend ID to obtain users’ publicly available profile information, which for many users included their real names. By linking these names with other personal information, advertisers were able to compile information regarding web-browsing activities for specific Myspace users. The FTC charged that, as a result of these practices, Myspace also failed to meet the requirements of the U.S.-E.U. Safe Harbor Framework. Myspace had self-certified that it was in compliance with the Safe Harbor Framework, which is a set of privacy standards created by the U.S. Department of Commerce in consultation with the European Commission to streamline transactions by U.S. based companies in the European Union.
Myspace Agrees to Implement a Comprehensive Privacy Program
The settlement bars Myspace from misrepresenting the extent to which it protects the privacy and confidentiality of users’ personal information and requires Myspace to implement a comprehensive privacy program. The significant breadth of the privacy program is underscored by its requirements, which include (i) designation of an employee or employees to coordinate and be responsible for the program, (ii) identification on a going forward basis of all reasonably foreseeable, material risks to users’ privacy, internal and external to the company, (iii) the design and implementation of controls and procedures to address all identified risks, and (iv) development of reasonable steps to retain service providers capable of protecting users’ personal information. Myspace agreed to have its privacy program audited by an independent third-party professional on a biennial basis for the next 20 years, with the first audit to be completed within 180 days of entry of the settlement order. The results of each audit must be reported to the FTC.
The FTC Will Be Keeping an Eye on Myspace and Other Social Networking Companies
The terms of Myspace’s settlement are similar to the terms of the settlements that the FTC entered with Twitter, Inc. in June 2010, Google, Inc. in March 2011, and Facebook, Inc. in November 2011. In each of those cases, the FTC charged the companies with failing to protect users’ personal information in a manner consistent with the representations in their privacy policies, among other allegedly deceptive practices. As with the Myspace settlement, the FTC’s settlements with Twitter, Google, and Facebook bar further misrepresentations regarding the extent to which the company protects the confidentiality of consumer information and require independent audits of the company’s privacy program for the next 10 (for Twitter) to 20 (for Google and Facebook) years. As a result, the FTC will be closely monitoring the online social networking market for a long time to come.
For more information regarding the steps that online businesses can take to ensure that their privacy programs pass muster with the FTC, see the recent article by Jeffrey T. Cox and Kelly M. Cline of Faruki Ireland & Cox P.L.L. titled "Parsing the Demographic: The Challenge of Balancing Online Behavioral Advertising and Consumer Privacy Considerations" published in the March 2012 edition of Aspen Publishing's Journal of Internet Law.
