Four ways Facebook must improve privacy after FTC settlement

Facebook users: Get ready for more changes in the way the social network operates.

The Federal Trade Commission announced yesterday that Facebook has agreed to settle the charges that it deceived consumers by telling them they could keep their information on Facebook private, then allowing it to be shared and made public.

In a post on its Web site, the FTC outlines seven instances in which Facebook allegedly made promises to its users that it ultimately did not keep. Among them:

-The claim that Facebook had a “Verified Apps” program and that it certified the security of the participating apps, which it did not.
-The promise that Facebook would not share users’ personal information with advertisers, which it did.
-The claim that when users deactivated or deleted their accounts, their photos and videos would be inaccessible, which was false.

Facebook CEO Mark Zuckerberg took to the Facebook blog yesterday, in part to apologize for the company’s mistakes. He writes:

“I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done. [. . .] But we can always do better. I’m committed to making Facebook the leader in transparency and control around privacy.”

The settlement outlines a number of rules that the social network must abide by to regain trust with users and federal regulators and to better respect users’ privacy. Here’s a look at the required changes and how they will affect your account.

1. “Opt-in” options will take precedence–in most cases

According to the FTC, Facebook is “required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences.”

Specifically, this means that any information Facebook wants to make public–after you have already set it to private or friends-only–will require you to opt-in and will disallow Facebook from automatically making it public.

However, this rule will not apply to new settings Facebook may implement; those will not have to be opt-in.

2. If you delete your account, your info will be deleted after 30 days

It’s no secret that Facebook puts you through the wringer when you try to delete or deactivate your account.

Previously, Facebook claimed that if users deactivated or deleted their accounts, their photos and videos would be inaccessible. In fact, Facebook allowed access to the content even after users deleted or deactivated their accounts.

Under the FTC’s new parameters, Facebook is now required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account.

3. Facebook will establish a new privacy program

In the settlement, Facebook agreed to “establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information,” according to the FTC.

Facebook has already taken steps to fulfill this requirement. In a blog post yesterday, Facebook CEO Mark Zuckerberg announced two new internal positions:

A Chief Privacy Officer of Policy position, which will focus on “engagement in the global public discourse and debate about online privacy and ensure that feedback from regulators, legislators, experts and academics from around the world is incorporated into Facebook’s practices and policies,” and;

A Chief Privacy Officer of Products position, which will help to “expand, improve and formalize [Facebook’s] existing program of internal privacy review.” This role will also work to ensure that Facebook’s principles of user control, privacy by design, and transparency are integrated into both Facebook’s product development process and the products themselves.

4. Facebook will submit to independent audits for 20 years

While this last action won’t affect Facebook users directly, it will help ensure that Facebook is accountable for its actions and is in compliance with the FTC for the foreseeable future.

According to the FTC, Facebook is now required to, within 180 days and every two years after that for the next 20 years, obtain independent, third-party audits to ascertain that it has a privacy program in place that meets or exceeds the requirements of the FTC and to ensure that the privacy of consumers’ information is protected.

Should third-party auditors find at any point that Facebook is in violation of its settlement, each violation may result in a civil penalty of up to $16,000–a relatively small sum for a business rumored to be worth $100 billion.

Facebook has made significant strides in simplifying its privacy settings in the last year. As the site continues to grow and it adds new features, the requirements imposed by the FTC will help keep Facebook accountable and, many hope, refocus attention to users’ privacy.

Kristin Burnham covers consumer technology, social networking and Web 2.0 for CIO.com. Follow Kristin on Twitter @kmburnham. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Kristin at [email protected]