The Federal Trade Commission (FTC) reached a settlement yesterday with Facebook for charges "that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." The agreement will require that Facebook "take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established."
In a nutshell, Facebook is:
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
These requirements are quite similar to those placed on Google in the settlement of FTC claims against their deceased Google Buzz program, and are well in line with the FTC's privacy report, to which MRA filed response comments in February. MRA's General Counsel, LaToya Lang, will likely go into greater depth on the details of the settlement and the compliance tips for the profession to follow. I can also recommend Brian Tarran's article, "What the Facebook FTC settlement means for market research", for a good thousand-foot overview.
As in the FTC's agreement with Google earlier this year, the red flag for researchers should be that if you run afoul of the FTC's expectations, the agency could end up effectively micromanaging for the next 20 years, how you handle your data.
Our biggest legislative/regulatory concern is the FTC's creation, through case law, of a requirement to "obtain consumers' affirmative express consent before enacting changes that override their privacy preferences" -- meaning, Facebook users must opt in to any material changes to privacy policies and practices.
MRA considers appropriate notice with an opt out to be a reasonable expectation, but opposes an express affirmative consent standard. Such a standard is ill-suited to research, and would be most debilitating for online panel companies and online research communities (who keep huge rosters of participants) and focus group facilities (who maintain large lists of potential participants). It would likely be impossible to get express affirmative consent from millions of people before changing a policy or practice.