Facebook’s 2011 FTC Consent Order

Chronology

2004: Mark Zuckerberg starts Facebook as a social networking site for Harvard Undergraduates

2006: Facebook launches “News Feed,” which allowed Facebook to post information directly to a user’s page. Within 24 hours, hundreds of thousands of the site’s users protested, prompting Mark Zuckerberg to write an open letter to Facebook users apologizing for doing a “bad job of explaining what the new features were and an even worse job of giving you control of them.” Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.

2007: Facebook launches Facebook Beacon, a program that broadcast users’ private online purchases on their friends’ News Feeds. Users were given no advance warning of the program and could not opt out. As a result of widespread criticism, Facebook shut down Beacon in 2009.

June 11, 2008: EPIC President Marc Rotenberg testifies before Congress on social network privacy:

Users of social networking sites are also exposed to the information collection practices of third party social networking applications. On Facebook, installing applications grants this third party application provider access to nearly all of a user’s information. Significantly, third party applications do not only access the information about a given user that has added the application. Applications by default get access to much of the information about that user’s friends and network members that the user can see.

February 4, 2009: Facebook changes its Terms of Service. The revised TOS allow Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC plans to file a complaint with the FTC alleging that the new TOS violated the FTC Act.

February 18, 2009: On the eve of EPIC’s FTC complaint, Facebook backs down on its revised TOS, announcing that it will restore the original TOS.

December 17, 2009: EPIC and consumer organizations file a complaint with the FTC alleging that Facebook’s privacy practices were unfair and deceptive. The complaint warns that Facebook granted third party apps unrestricted access to user data without users’ knowledge or consent.

January 14, 2010: EPIC files a supplemental complaint with the FTC concerning recent changes to Facebook’s privacy settings and privacy policy. The complaint focuses on Facebook’s disclosure of information to the public and to third party app developers, and Facebook’s use of deceptive web tracking devices to track users Internet activity on third party websites.

July 29, 2010: EPIC urges Congress to strengthen privacy laws for Facebook users. In prepared testimony, EPIC President Marc Rotenberg urged lawmakers to update federal law to protect the privacy of Facebook users, explaining that Facebook’s constant changes to its privacy settings have made it virtually impossible for users to control who gets access to their information.

September 29, 2011: EPIC writes a letter to the FTC urging it to stop Facebook from using cookies to secretly track Internet users “even after they have logged off of Facebook.”

November 29, 2011: Facebook settles FTC charges that it deceived consumers by failing to keep privacy promises. The FTC issued an eight-count complaint against Facebook alleging unfair and deceptive practices by Facebook:

  • In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
  • Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
  • Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
  • Facebook promised users that it would not share their personal information with advertisers. It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

Under the proposed FTC Order, Facebook was:

  • barred from making misrepresentations about the privacy or security of consumers’ personal information;
  • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

In its announcement of the settlement, the FTC noted that “Facebook’s privacy practices were the subject of complaints filed with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups.”

December 27, 2011: EPIC’s comments urge the FTC to strengthen the proposed order. Specifically, EPIC’s recommended that the FTC require Facebook to:

  • Allow users to access all of the data that Facebook keeps about them;
  • Cease creating facial recognition profiles without users’ affirmative consent;
  • Make Facebook’s privacy audits publicly available to the greatest extent possible;
  • Cease secret post-log out tracking of users across websites.

In a separate letter, EPIC also asked the Commission to determine whether Facebook’s Timeline, which made archived and inaccessible information widely available without the consent of the user, was consistent with the terms of the Order.

August 10, 2012: The FTC adopts a Final Order against Facebook without any modifications.

2012 – 2018: The FTC never charges Facebook with a single violation of the Consent Order despite numerous complaints.

March 20, 2018: EPIC and consumer groups urge the FTC to investigate Facebook following revelations that Facebook permitted the disclosure of 87 million user records to the controversial political data mining firm Cambridge Analytica.

March 26, 2018: The FTC confirms an investigation into Facebook.

July 24, 2019: The FTC announces a proposed settlement to end its investigation into Facebook. This was the first fine against Facebook since EPIC and a coalition of privacy organizations filed a complaint with the Commission about the company’s businesses practices back in 2009. The FTC fined Facebook $5 billion, but required no meaningful changes to the business practices that violate user privacy.

July 26, 2019: EPIC files a Motion to Intervene in United States v. Facebook to protect the interests of Facebook users.

Legal Documents

FOIA Documents