Myspace Settlement With FTC: Another Lesson on Risks in Privacy Policy Promises
Seller Beware: Consumer Protection Insights for Industry
The latest in a line of FTC enforcement actions challenging company privacy policies, Myspace LLC (Myspace) has reached a settlement agreement to resolve the FTC's claims that the company's privacy policy made false promises to consumers.
According to the FTC's complaint, the policy indicated that Myspace would not share personal information except as described in the policy without first giving notice and receiving permission from the user. The policy also said that information used by third parties to customize ads would not identify to those third parties the identity of the user and that non-anonymized browsing activity would not be shared. But, charged the FTC, these promises didn't square with reality.
The FTC alleged that Myspace provided advertisers with the "Friend ID" of users who were viewing particular pages on the site. Although a Friend ID itself does not provide a user's name, the complaint alleged that, because of a default setting on the site, an advertiser could use the Friend ID to access a user's full profile, which often contains a user's full name. Advertisers could also combine a user's real name and other information to link web browsing activity to specific individuals. A user had to override the default setting if she wanted to hide her full name.
In addition, Myspace had publicly certified with the Department of Commerce that its practices were in compliance with the US-EU Safe Harbor Framework, which requires adherence to specific data privacy and security principles and practices as a means for a US company to obtain personal data from entities in the European Union in accordance with the EU Data Protection Directive. The FTC complaint alleged that Myspace failed to adhere to those principles and, thus, that its Safe Harbor certification was a false representation in violation of section 5 of the FTC Act.
The settlement agreement has many parts. Myspace is prohibited from misrepresenting how it maintains and protects the privacy and confidentiality of users' personal information and from misrepresenting compliance with any privacy or security program, such as the Safe Harbor Framework. Myspace is also required to implement a comprehensive privacy program to address privacy risks associated with users' information. As part of the program, Myspace must designate an employee or employees to coordinate the program, identify reasonably-foreseeable material risks relating to disclosure and assess the sufficiency of safeguards to protect against those risks, and regularly test the effectiveness of those safeguards. Finally, every other year for the next 20 years, Myspace must have its privacy program evaluated by an objective, independent professional who will have to certify that the program's protections meet or exceed the settlement's conditions.
The settlement is an important warning of the risk of "over-promising" in a privacy policy and a reminder for businesses to review on a regular basis the statements in their privacy policies – and to consider the implicit implications of those statements – to ensure that all messages to the public about company policy are consistent with actual practice.
© Arnold & Porter Kaye Scholer LLP 2012 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.