Did Facebook break the law when it changed privacy settings?
Given all of the complaining around the Web about the privacy transition at Facebook, you’d think perhaps the social networking company had broken the law with its new settings. In fact, it may have.
The Electronic Privacy Information Center [EPIC], along with a host of other privacy groups, filed a complaint [PDF] with the Federal Trade Commission today, alleging that the privacy changes violate federal law and urging the FTC to investigate.
Beyond really pissing off its users, what did Facebook do to bring on this complaint?
In the pre-privacy-debacle version of Facebook, the only information that was public for all users was name and network. After the transition, users’ names, profile photos, gender, and hometown suddenly became “publicly available information.”
Surprise! This was not disclosed by the transition tool, and instead was announced in blog posts and news coverage following the transition. That is a problem.
EPIC has been itching to file a complaint against Facebook for a while. Executive director Marc Rotenberg nearly filed a complaintearlier this year when the company suddenly changed its terms of service to say it owned users’ data. Facebook quickly reversed itself on that.
Will Facebook reverse itself on its privacy changes? Or is it going to fight this one out?
A spokesman tells Marketwatch:
“We’ve had productive discussions with dozens of organizations around the world about the recent changes, and we’re disappointed that EPIC has chosen to share their concerns with the FTC while refusing to talk to us about them.”
The spokesman, Andrew Noyes, also said that Facebook discussed its privacy program with regulators “including the FTC” prior to its launch.
The Gateway decision does not bode well for the company though. Law firm Perkins Coie wrote at the time:
The proposed Gateway settlement affects any company that materially changes its privacy policies in ways that contradict promises made to consumers at the time their information was collected. For example, if the old policy told consumers that the company would not share personal information with third parties, the company cannot do so under the new policy unless the company obtains from consumers opt-in consent for the continuing use of information collected under the old policy. Also, companies that have promised in their privacy policies to “notify” customers of material changes in the policy must do more than simply post the new policy to its Web site and provide an opt-out period. Instead, they must also provide an explanation of the changes.
The “privacy transition tool” notified us that some changes were being made, but it was not explicit about those changes. Meaning many of us were surprised and confused by them. Even the company’s CEO.