Facebook has reached a deal with the Federal Trade Commission to settle charges that it deceived consumers. The FTC had charged that the social network told people they could keep the information they share private and then allowed for it to be made public. The charges go back to 2009.
The FTC said in a statement that the settlement will force Facebook to get people's approval before changing how the company shares their data. Along with the agreement, Facebook has created a couple of new senior corporate positions whose occupants will be tasked with improving the company's privacy policies. Erin Egan, who recently joined Facebook from the law firm Covington & Burling, will become the company's chief privacy officer, while Michael Richter, now Facebook's chief privacy counsel, will become the chief privacy officer for products.
"These two positions will further strengthen the processes that ensure that privacy control is built into our products and policies," CEO Mark Zuckerberg wrote on a company blog announcing the FTC agreement.
The settlement bars Facebook from making any deceptive privacy claims, such as misrepresentations about the privacy or security of user personal information. It requires Facebook to get user approval before changing the way it shares user data, including getting express consent before making changes that override their privacy preferences. Facebook must prevent anyone from accessing content on a user's account after the account has been deleted.
The settlement also requires Facebook to establish a comprehensive privacy program to address risks associated with development of new products and to get biannual independent audits of its privacy practices for the next 20 years. The audits are subject to Freedom of Information Act rules and may be made public on a case-by-case basis,
Zuckerberg, who has public defended Facebook's privacy commitment, also alluded to missteps.
"I'm the first to admit that we've made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done."
But while he acknowledged the company faces skepticism, Zuckerberg maintained that his goal was to foster greater transparency and privacy controls.
"I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service. Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It's important for people to think about this, and not one day goes by when I don't think about what it means for us to be the stewards of this community and their trust.
The problem stems back to December 2009 when Facebook made changes that publicly exposed information users previously set to private, such as "Friends List," without warning users that the change was coming or getting their approval in advance. Facebook also represented that third-party apps would have access only to user information that the app needed to operate when in fact the apps could access nearly all of the users' personal data. Also, Facebook told users they could restrict data sharing to certain groups of people, such as "Friends Only," but then allowed the information to be shared with third-party apps friends used.
In addition: Facebook claimed to have a "Verified Apps" program to certify the security of certain apps, when it did not; Facebook promised not to share personal information with advertisers but did anyway; Facebook claimed that photos and videos could not be accessed when an account was deactivated or deleted when the content could still be accessed; and Facebook claimed it complied with the U.S.-EU Safe Harbor Framework governing data transfer when it didn't.
On a conference call, FTC chairman Jon Leibowitz, said that his agency had found "numerous violations of the FTC Act, which prohibits deceptive or unfair acts or practices."
"The most important thing is to ensure consumer privacy going forward, and we believe this order does that," he said. CNET's Elinor Mills contributed to this report.