The FTC announcement of a consent order confirms a preliminary settlement announced in November, which set new expectations for Facebook's privacy practices. The final settlement follows a waiting period for public comment.
The FTC charged Facebook had shown a pattern of telling users they could keep information private, but then making it public anyway. Facebook admitted no guilt, but agreed to improve and more clearly explain the website's privacy controls. Facebook will also submit to biennial audits of its privacy and security practices.
Separately, in a response to a complaint by the Electronic Privacy Information Center, the FTC said it would interpret the settlement as covering facial recognition technology by Facebook. That is, Facebook would not be able to employ such technology without the informed consent of its users.
[ Find out how Facebook fumbled its roll-out of facial recognition technology. ]
The difference between the settlement with Facebook and this week's ruling against Google is that Google was determined to have violated a prior commitment that it would not place cookie tracking files on the computers of users of Apple's Safari browser.
The Facebook settlement was approved over the dissent of Commissioner J. Thomas Rosch. He was outvoted by three other commissioners, 3-1-1, with a fifth member not participating. Rosch also cast a dissenting vote against the Google settlement, saying the fine was too small to catch the company's attention.
In this case, Rosch objected to allowing Facebook to deny the charges while accepting the settlement, which he said undermined the FTC's authority. This was partly a technical objection because he said the language was inconsistent with the FTC's own rules.
His second objection was that he did not think the language of the settlement was specific enough to make clear that the restrictions on Facebook should extend to third-party apps it hosts on its platform. He cited Forbes writer Jeff Bercovici's reporting on the unclear privacy disclosures provided by apps like the Washington Post social news reader. Bercovici noted that the app allowed him to specify that his activity should be shared "only with me" (which he presumed meant it would be private) but that this didn't prevent his reading habits from being shared with other users of the application. That particular privacy setting turned out to only affect whether a Facebook notification that he had read a particular story would be broadcast to the news feeds of his contacts.
"I consider such inadequate disclosure to be deceptive when it occurs in the Facebook environment, irrespective of whether that failure to fully disclose stems from the conduct of the app or Facebook itself," Rosch wrote. Despite assurances by the commissioners who were in the majority that the settlement language covered third-party apps, Rosch said he wanted to see it spelled out more specifically.
Every company needs a social networking policy, but don't stifle creativity and productivity with too much formality. Also in the debut, all-digital Social Media For Grownups issue of The BrainYard: The proper tools help in setting social networking policy for your company and ensure that you'll be able to follow through. (Free with registration.)