Changes to Facebook User Privacy Settings

Facebook Privacy Changes Claimed as Unfair and Deceptive

On December 17, 2009, the Electronic Privacy Information Center (EPIC) petitioned the Federal Trade Commission claiming that changes to Facebook user privacy settings constituted an unfair and deceptive practice.

In early November and December, 2009, Facebook changed the process by which users set their respective privacy settings. EPIC alleges that the changes are confusing, replace the simple complete opt-out of information sharing through the Facebook Platform and Facebook Connect functions, and require third party application users to provide developers with personal information that users formerly would have been able to prevent application developers from accessing. The complaint requests that the FTC compel Facebook to restore its former privacy settings.

The complaint alleges that notwithstanding Facebook’s statement in its announcement of the changes that it was providing users more control, the policy creates default settings that allow increased disclosure of personally identifiable information, such as name, current city, and lists of friends, to which a user must specifically opt-out. The complaint raises the threat that crawlers data mining the automatically disclosed information would render ineffective a later opt-out.

The complaint attacks Facebook’s elimination of the one click option to prevent disclosure of personal information to third party application developers for applications utilized by the user. Instead, the complain alleges, a user must engage in a laborious application specific opt-out procedure to prevent application access to the users name, profile picture, gender, and friend list, among other things.

Facebook’s statements about the lawsuit have focused on its coordination with the FTC in creating its privacy policy, and Facebook’s disappointment at EPIC’s complaint in place of discussions between the two groups. Because the FTC has substantial enforcement powers which it has exercised in privacy matters, this matter may illustrate the extent to which the FTC will regulate a how a company discloses its use of personally identifiable information, and its ability to change those uses when affecting a substantial number of users.