Facebook Settlement Shows FTC Getting New Traction With Privacy Enforcement

Facebook is widely reported to be on the verge of a settlement with the Federal Trade Commission that will force it to tighten up its privacy practices. The agreement, which culminates a high-profile, two year investigation, appears based on a recent Google (NSDQ: GOOG) case and suggests a new boldness on the part of the federal agency. Here is a guide to how the process works and how it will affect Facebook and its users.

Did Facebook break the law?

In 2009, Facebook changed its privacy policy to make certain user information public to all. Even though users could make the information private again, many believed Facebook crossed a line by failing to ask their permission in the first place. The FTC began an investigation after a broad coalition of groups filed a complaint saying Facebook’s conduct breached Section 5 of the FTC Act, which holds that “unfair or deceptive acts or practices in or affecting commerce…are…declared unlawful.” The existence of a settlement means the FTC had concluded that Facebook’s privacy changes were unfair or deceptive.

What exactly is an FTC settlement?

These settlements occur after the FTC (a federal body charged with overseeing consumer and antitrust issues) investigates and prepares a complaint against a company over its business practices. Rather than fighting the complaint before an FTC judge or in court, a company can settle the matter without admitting any wrongdoing provide that it agrees to abide by a set of conditions.

Why would Facebook choose to settle?

The alternative would be to fight the FTC in high-profile legal proceedings that would put Facebook’s business and privacy practices under a very public spotlight. And, from Facebook’s perspective, the writing is on the wall: In the last year, the FTC has won a series of major privacy settlements while, in the background, lawmakers continue to beat the privacy drum. A settlement is almost certainly the least painful option.

What does the settlement require of Facebook?

According to the Wall Street Journal (NSDQ: NWS), Facebook will have to sign up for a 20-year marriage with the FTC that will allow the regulator to conduct privacy audits. It will also have to obtain clear consent from users before making changes that impact their privacy. The settlement is almost certainly based on a template the FTC created when it forced Google last March to accept a settlement over privacy breaches related to the search giant’s failed Buzz product. At the time, the regulator boasted, “This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information.” The Google settlement also required the company to agree to broadly promise that it would not misrepresent its privacy policies.

Will the settlement likely have an impact on the way Facebook does business?

Technically, a company that breaches the terms of an FTC settlement is liable for major civil penalties. In reality, though, such penalties are rarely imposed. The Google settlement’s 20-year span and its “privacy audits” suggest the agreement could have some bite but, as usual, this will depend on how the details play out. While a “privacy audit” sounds stern, the actual requirement in Google’s case is for both sides to select a third-party privacy expert who will report on Google’s practices every two years. It also obliges Google to save its privacy statements and related consumer complaints and submit them to the FTC every three years. While they may force Google (and probably Facebook) to tread more carefully, these measures do not sound like a game changer. They do mean, however, that Facebook will have to be especially careful when it rolls out new products like its much-anticipated Timeline to ensure new features don’t trigger a privacy breach.

Will the settlement likely have a knock-on effect for other companies whose businesses are built around data collection and advertising?

The settlement applies to Facebook alone so other companies will not be directly affected. But the publicity surrounding this case and Google Buzz will certainly cause others to take notice and possibly review their own privacy practices.

Is the FTC starting to get more aggressive on the privacy front?

Yes, the FTC is beginning to fill the vacuum of federal authority in the privacy space. In the absence of federal privacy legislation, the issues of online privacy have largely been addressed by state consumer laws and private class action suits. The settlements, including one earlier this week concerning online tracking, confirm that a relatively new division within the FTC’s Consumer Bureau called “Privacy and Identity Protection” aspires to make a name for itself in online privacy issues. Overall, though, the agency is somewhat limited by the lack of federal privacy legislation. While there is specific law it can enforce related to privacy and children, it must continue to relay on the language of “unfair or deceptive” business practice for other privacy violations.

When will we know exactly what’s in the Facebook settlement?

The broad details have been widely leaked so all that is left is to wait for the formal announcement from the FTC in coming weeks. When that occurs, the agency will flourish the settlement agreement and produce the complaint that the settlement is based on. Facebook, which declined comment for this article, will likely issue a muted statement saying that privacy is important and they are glad the matter is resolved. At this stage, the agreement will still be a “proposed” settlement that is subject to public comment before it is formally adopted.