Facebook has settled with the Federal Trade Commission on charges that it rolled out upgrades that overrode users' privacy settings without obtaining their consent and shared their private information with third-party apps and advertisers.
The settlement marks the first time that the FTC has taken action against the social network, though its European counterparts have been more aggressive in attempts to regulate Facebook and others. The European Commission reportedly intends to amend data-protection laws to ban targeted advertising unless users explicitly opt in, and Facebook would be subject to fines if it fails to comply.
The eight-count FTC complaint includes a December 2009 instance when a Facebook update made previously private information -- such as friend lists and pages a user had liked -- public without warning, Facebook's misleading representation that third-party apps could access only limited user information, and the claim that photos and videos would disappear if a user deleted the account, when in fact they sometimes remained accessible.
The complaint also contends that Facebook made personal information available to advertisers in instances between September 2008 and May 2010, alleging that advertisers could access identifying details about users who clicked on their ads, along with other facts, like their browsing history.
"To consumers, be assured that Facebook should seek your consent before overriding your privacy settings," said FTC Chairman Jon Leibowitz.
Like the settlement reached with Google over its now-defunct social-networking Buzz product in March, the settlement carries no financial penalty. Facebook is subject to a $16,000 fine per violation per day if it fails to comply with the terms of the order. In addition to obtaining users' explicit consent before making changes that override their existing privacy settings Facebook must institute a privacy program that 's required to be audited by a third-party company every two years for 20 years.
In a blog posting today, Facebook CEO Mark Zuckerberg announced that he's creating two new roles -- chief privacy officers focused on policy and products, respectively -- to assist with regulatory compliance.
"I'm the first to admit that we've made a bunch of mistakes," Mr. Zuckerberg wrote. "In particular, I think that a small number of high profile mistakes, like Beacon [an advertising program that pulled users' activity on third-party sites into their news feed and inspired a class-action lawsuit] four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done."