Federal Government Targets Privacy Violations by Social Media Companies

Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

[author: Neil Ray]

Continuing its focus on privacy issues, the Federal Trade Commission (FTC) reached a settlement earlier this month with social networking service, Myspace, over charges that it misrepresented its protection of users' personal information. The FTC alleged that Myspace allowed advertisers to access personally identifiable information despite previous assurances to its users that it would keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, and calls for regular, independent privacy assessments for the next 20 years.

The primary data practice at issue was Myspace's alleged sharing of the unique identifier assigned to each profile of each Myspace user called a “Friend ID” with third-party advertisers to customize advertisements directly on its site. The FTC alleged that advertisers could use the identifier - by simply typing the Friend ID in the URL after the slash in www.myspace.com/ - to access a particular user's profile and personal information. A user's profile contains some basic profile information such as his or her age, gender, profile picture (if the user chooses to include one), display name, and, by default, the user's full name. User profiles also may contain additional information such as pictures, hobbies, interests, and lists of users' friends. The FTC also alleged that advertisers could use a tracking cookie to combine an individual user's real name and other personal information to link broader web-browsing activity to that specific individual.

Myspace's privacy policy promised it would not share users personally identifiable information, or use such information in a way that was inconsistent with the purpose for which it was submitted, without first giving notice to users and receiving their permission to do so. The privacy policy also promised that the information used to customize ads would not individually identify users to third parties and would not share non-anonymized browsing activity. The FTC alleged that the Myspace's use of the Friend ID was not described in its privacy policy and it did not receive permission from its users for such sharing. The FTC charged that this constituted deceptive statements in its privacy policy which violated federal law (Section 5(a) of the Federal Trade Commission Act).

In addition, Myspace certified that it complied with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States. As part of its self-certification, Myspace claimed that it complied with the Safe Harbor Principles, including the requirements that consumers be given notice of how their information will be used and the choice to opt out. The FTC alleged that these statements were false.

The proposed settlement bars Myspace from misrepresenting the extent to which it protects the privacy of users' personal information or the extent to which it belongs to or complies with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor Framework. The order also requires that Myspace establish a comprehensive privacy program designed to protect consumers' information, and to obtain biennial assessments of its privacy program by independent, third-party auditors for 20 years.

Since 2010, the FTC has reached a dozen settlements against companies that the agency accused of failing to uphold their privacy promises to consumers. The agreement with Myspace is similar to one the FTC made in November with Facebook over its sharing of users’ information with advertisers and making public information that it had said would be kept private. Under that settlement, Facebook is required to submit to a third-party privacy audit every two years for the next 20 years and to obtain express consent before making changes that override user privacy preferences. In March 2011, Google agreed to settle the agency's claims that it used deceptive practices and violated its own privacy policies when it launched its Google Buzz social network in 2010. That agreement, similar to the later ones with Facebook and Myspace, also requires regular privacy audits for the next 20 years.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide