Facebook, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 75883-75885 [2011-31158]
Download as PDF
<![CDATA[
Federal Register / Vol. 76, No. 233 / Monday, December 5, 2011 / Notices
Unless otherwise noted, comments
regarding each of these applications
must be received at the Reserve Bank
indicated or the offices of the Board of
Governors not later than December 30,
2011.
A. Federal Reserve Bank of Chicago
(Colette A. Fried, Assistant Vice
President) 230 South LaSalle Street,
Chicago, Illinois 60690–1414:
1. ISB Bancorp, Inc., Tonica, Illinois,
to become a bank holding company by
acquiring Tonica Bancorp, Inc., Tonica,
Illinois, and thereby to acquire control
of Illini State Bank, Oglesby, Illinois.
Board of Governors of the Federal Reserve
System.
Dated: November 30, 2011.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. 2011–31126 Filed 12–2–11; 8:45 am]
BILLING CODE 6210–01–P
FEDERAL TRADE COMMISSION
Agency Information Collection
Activities; Request for OMB Review;
Comment Request
AGENCY:
Federal Trade Commission.
Notice and request for comment;
correction.
The Federal Trade
Commission published a notice and
request for comment on November 29,
2011, concerning information requests
to beverage alcohol advertisers, as
required by the Paperwork Reduction
Act. This document makes a technical
correction to a hyperlink contained in
that document.
SUMMARY:
Effective Date: December 5, 2011.
FOR FURTHER INFORMATION CONTACT:
Janet M. Evans, Attorney, (202) 326–
2125, or Carolyn L. Hann, Attorney,
(202) 326–2745, Division of Advertising
Practices, Bureau of Consumer
Protection, Federal Trade Commission,
Washington, DC 20580.
In FR Doc.
2011–30434, appearing on page 73640
in the Federal Register of Tuesday,
November 29, 2011, the following
correction is made: SUPPLEMENTARY
INFORMATION:
jlentini on DSK4TPTVN1PROD with NOTICES
SUPPLEMENTARY INFORMATION:
B. Information Requests to the Beverage
Alcohol Industry [Corrected]
On page 73643, in the first column,
‘‘https://www.ftc.gov/fedreg2011/11/
111121alcoholstudypra2supp.pdf’’ is
corrected to read ‘‘https://www.ftc.gov/
VerDate Mar<15>2010
16:52 Dec 02, 2011
Jkt 226001
Richard C. Donohue,
Acting Secretary.
[FR Doc. 2011–31082 Filed 12–2–11; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
[File No. 092 3184]
Facebook, Inc.; Analysis of Proposed
Consent Order To Aid Public Comment
Federal Trade Commission.
Proposed consent agreement.
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
SUMMARY:
Comments must be received on
or before December 30, 2011.
ADDRESSES: Interested parties may file a
comment online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘Facebook, File No. 092
3184’’ on your comment, and file your
comment online at https://
ftcpublic.commentworks.com/ftc/
facebookconsent, by following the
instructions on the Web-based form. If
you prefer to file your comment on
paper, mail or deliver your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580.
FOR FURTHER INFORMATION CONTACT:
Laura Berger (202) 326–8364), FTC,
Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and § 2.34 the Commission Rules
of Practice, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
DATES:
ACTION:
DATES:
os/fedreg/2011/11/
111121alcoholstudypra2supp.pdf.’’
PO 00000
Frm 00024
Fmt 4703
Sfmt 4703
75883
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for November 29, 2011), on
the World Wide Web, at https://
www.ftc.gov/os/actions.shtm. A paper
copy can be obtained from the FTC
Public Reference Room, Room 130–H,
600 Pennsylvania Avenue NW.,
Washington, DC 20580, either in person
or by calling (202) 326–2222.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before December 30, 2011. Write
‘‘Facebook, File No. 092 3184’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the public Commission
Web site, at https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which is obtained
from any person and which is privileged
or confidential,’’ as provided in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2).
In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).1 Your comment will be kept
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
E:\FR\FM\05DEN1.SGM
Continued
05DEN1
75884
Federal Register / Vol. 76, No. 233 / Monday, December 5, 2011 / Notices
confidential only if the FTC General
Counsel, in his or her sole discretion,
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
facebookconsent by following the
instructions on the Web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘Facebook, File No. 092 3184’’ on
your comment and on the envelope, and
mail or deliver it to the following
address: Federal Trade Commission,
Office of the Secretary, Room H–113
(Annex D), 600 Pennsylvania Avenue
NW., Washington, DC 20580. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Visit the Commission Web site at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before December 22, 2011. You can find
more information, including routine
uses permitted by the Privacy Act, in
the Commission’s privacy policy, at
https://www.ftc.gov/ftc/privacy.htm.
jlentini on DSK4TPTVN1PROD with NOTICES
Analysis of Agreement Containing
Consent Order To Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent agreement from Facebook, Inc.
(‘‘Facebook’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
Since at least 2004, Facebook has
operated https://www.facebook.com, a
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
VerDate Mar<15>2010
16:52 Dec 02, 2011
Jkt 226001
social networking Web site that enables
a consumer who uses the site (‘‘user’’)
to create an online profile and
communicate with other users. Among
other things, a user’s online profile can
include information such as the user’s
name, a ‘‘profile picture,’’ interest
groups they join, a ‘‘Friend List’’ of
other users who are the user’s ‘‘Friends’’
on the site, photo albums and videos
they upload, and messages and
comments posted by them or by other
users. Users can also use third-party
applications through the site (‘‘Apps’’)
to, for example, play games, take
quizzes, track their physical fitness
routines for comparison to their friends’
routines, or receive discount offers or
calendar reminders. As of August 2011,
Facebook had more than 750 million
users.
The Commission’s complaint alleges
eight violations of Section 5(a) of the
FTC Act, which prohibits deceptive and
unfair acts or practices in or affecting
commerce, by Facebook:
• Facebook’s Deceptive Privacy
Settings: Facebook communicated to
users that they could restrict certain
information they provided on the site to
a limited audience, such as ‘‘Friends
Only.’’ In fact, selecting these categories
did not prevent users’ information from
being shared with Apps that their
Friends used.
• Facebook’s Deceptive and Unfair
December 2009 Privacy Changes: In
December 2009, Facebook changed its
site so that certain information that
users may have designated as private—
such as a user’s Friend List —was made
public, without adequate disclosure to
users. This conduct was also unfair to
users.
• Facebook’s Deception Regarding
App Access: Facebook represented to
users that whenever they authorized an
App, the App would only access the
information of the user that it needed to
operate. In fact, the App could access
nearly all of the user’s information, even
if unrelated to the App’s operations. For
example, an App that provided
horoscopes for users could access the
user’s photos or employment
information, even though there is no
need for a horoscope App to access such
information.
• Facebook’s Deception Regarding
Sharing with Advertisers: Facebook
promised users that it would not share
their personal information with
advertisers; in fact, Facebook did share
this information with advertisers when
a user clicked on a Facebook ad.
• Facebook’s Deception Regarding Its
Verified Apps Program: Facebook had a
‘‘Verified Apps’’ program through
which it represented that it had certified
PO 00000
Frm 00025
Fmt 4703
Sfmt 4703
the security of certain Apps when, in
fact, it had not.
• Facebook’s Deception Regarding
Photo and Video Deletion: Facebook
stated to users that, when they
deactivate or delete their accounts, their
photos and videos would be
inaccessible. In fact, Facebook
continued to allow access to this
content even after a user deactivated or
deleted his or her account.
• Safe Harbor: Facebook deceptively
stated that it complied with the U.S.-EU
Safe Harbor Framework, a mechanism
by which U.S. companies may transfer
data from the European Union to the
United States consistent with European
law.
The proposed order contains
provisions designed to prevent
Facebook from engaging in practices in
the future that are the same or similar
to those alleged in the complaint.
Part I of the proposed order prohibits
Facebook from misrepresenting the
privacy or security of ‘‘covered
information,’’ as well as the company’s
compliance with any privacy, security,
or other compliance program, including
but not limited to the U.S.-EU Safe
Harbor Framework. ‘‘Covered
information’’ is defined broadly as
‘‘information from or about an
individual consumer, including but not
limited to: (a) A first or last name; (b)
a home or other physical address,
including street name and name of city
or town; (c) an email address or other
online contact information, such as an
instant messaging user identifier or a
screen name; (d) a mobile or other
telephone number; (e) photos and
videos; (f) Internet Protocol (‘‘IP’’)
address, User ID, or other persistent
identifier; (g) physical location; or (h)
any information combined with any of
(a) through (g) above.’’
Part II of the proposed order requires
Facebook to give its users a clear and
prominent notice and obtain their
affirmative express consent before
sharing their previously-collected
information with third parties in any
way that materially exceeds the
restrictions imposed by their privacy
settings. A ‘‘material . . . practice is one
which is likely to affect a consumer’s
choice of or conduct regarding a
product.’’ FTC Policy Statement on
Deception, Appended to Cliffdale
Associates, Inc., 103 F.T.C. 110, 174
(1984).
Part III of the proposed order requires
Facebook to implement procedures
reasonably designed to ensure that a
user’s covered information cannot be
accessed from Facebook’s servers after a
reasonable period of time, not to exceed
E:\FR\FM\05DEN1.SGM
05DEN1
jlentini on DSK4TPTVN1PROD with NOTICES
Federal Register / Vol. 76, No. 233 / Monday, December 5, 2011 / Notices
thirty (30) days, following a user’s
deletion of his or her account.
Part IV of the proposed order requires
Facebook to establish and maintain a
comprehensive privacy program that is
reasonably designed to: (1) Address
privacy risks related to the development
and management of new and existing
products and services, and (2) protect
the privacy and confidentiality of
covered information. The privacy
program must be documented in writing
and must contain controls and
procedures appropriate to Facebook’s
size and complexity, the nature and
scope of its activities, and the sensitivity
of covered information. Specifically, the
order requires Facebook to:
• Designate an employee or
employees to coordinate and be
responsible for the privacy program;
• Identify reasonably-foreseeable,
material risks, both internal and
external, that could result in the
unauthorized collection, use, or
disclosure of covered information and
assess the sufficiency of any safeguards
in place to control these risks;
• Design and implement reasonable
controls and procedures to address the
risks identified through the privacy risk
assessment and regularly test or monitor
the effectiveness of these controls and
procedures;
• Develop and use reasonable steps to
select and retain service providers
capable of appropriately protecting the
privacy of covered information they
receive from respondent, and require
service providers by contract to
implement and maintain appropriate
privacy protections; and
• Evaluate and adjust its privacy
program in light of the results of the
testing and monitoring, any material
changes to its operations or business
arrangements, or any other
circumstances that it knows or has
reason to know may have a material
impact on the effectiveness of its
privacy program.
Part V of the proposed order requires
that Facebook obtain within 180 days,
and every other year thereafter for
twenty (20) years, an assessment and
report from a qualified, objective,
independent third-party professional,
certifying, among other things, that it
has in place a privacy program that
provides protections that meet or exceed
the protections required by Part IV of
the proposed order; and its privacy
controls are operating with sufficient
effectiveness to provide reasonable
assurance that the privacy of covered
information is protected.
Parts VI through X of the proposed
order are reporting and compliance
provisions. Part VI requires that
VerDate Mar<15>2010
16:52 Dec 02, 2011
Jkt 226001
Facebook retain all ‘‘widely
disseminated statements’’ that describe
the extent to which respondent
maintains and protects the privacy,
security, and confidentiality of any
covered information, along with all
materials relied upon in making such
statements, for a period of three (3)
years. Part VI further requires Facebook
to retain, for a period of six (6) months
from the date received, all consumer
complaints directed at Facebook, or
forwarded to Facebook by a third party,
that relate to the conduct prohibited by
the proposed order, and any responses
to such complaints. Part VI also requires
Facebook to retain for a period of five
(5) years from the date received,
documents, prepared by or on behalf of
Facebook, that contradict, qualify, or
call into question its compliance with
the proposed order. Part VI additionally
requires Facebook to retain for a period
of three (3) years, each materially
different document relating to its
attempt to obtain the affirmative express
consent of users referred to in Part II,
along with documents and information
sufficient to show each user’s consent
and documents sufficient to
demonstrate, on an aggregate basis, the
number of users for whom each such
privacy setting was in effect at any time
Facebook has attempted to obtain such
consent. Finally, Part VI requires that
Facebook retain all materials relied
upon to prepare the third-party
assessments for a period of three (3)
years after the date that each assessment
is prepared.
Part VII requires dissemination of the
order now and in the future to
principals, officers, directors, and
managers, and to all current and future
employees, agents, and representatives
having supervisory responsibilities
relating to the subject matter of the
order. Part VIII ensures notification to
the FTC of changes in corporate status.
Part IX mandates that Facebook submit
an initial compliance report to the FTC
and make available to the FTC
subsequent reports. Part X is a provision
‘‘sunsetting’’ the order after twenty (20)
years, with certain exceptions.
The purpose of the analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the complaint
or proposed order, or to modify the
proposed order’s terms in any way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2011–31158 Filed 12–2–11; 8:45 am]
BILLING CODE 6750–01–P
PO 00000
Frm 00026
Fmt 4703
Sfmt 4703
75885
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
[30Day–12–11DU]
Agency Forms Undergoing Paperwork
Reduction Act Review
The Centers for Disease Control and
Prevention (CDC) publishes a list of
information collection requests under
review by the Office of Management and
Budget (OMB) in compliance with the
requirement of Section 3506(c)(2)(A) of
the Paperwork Reduction Act of 1995.
To request a copy of these requests, call
the CDC Reports Clearance Officer at
(404) 639–5960 or send an email to
omb@cdc.gov. Send written comments
to CDC Desk Officer, Office of
Management and Budget, Washington,
DC or by fax to (202) 395–6974. Written
comments should be received within 30
days of this notice.
Proposed Project
The National Survey of Prison Health
Care (NSPHC)—New—National Center
for Health Statistics (NCHS), Centers for
Disease Control and Prevention (CDC).
Background and Brief Description
Section 306 of the Public Health
Service (PHS) Act (42 U.S.C. 242k), as
amended, authorizes that the Secretary
of Health and Human Services (DHHS),
acting through NCHS, shall collect
statistics on the extent and nature of
illness and disability of the population
of the United States. This one-year
clearance request includes data
collection from identified respondents
at the Department of Corrections within
each state in the United States and the
Federal Bureau of Prisons.
Few national level data exist
concerning the administration of health
care services in correctional facilities in
the United States. National-level data
from the health care providers within
prison systems are important for a
myriad of purposes related to improving
prison health and health care. To
remedy this gap in knowledge regarding
the capacity of prison facilities to
deliver medical and mental health
services, NCHS in partnership with the
Bureau of Justice Statistics (BJS) plans
to conduct the National Survey of
Prison Health Care (NSPHC). This
collection aims to: provide an overall
picture of the global structure of
healthcare services in prisons in the
United States; close gaps in available
information about availability, location
and capacity of healthcare services
provided to inmates; and identify extent
E:\FR\FM\05DEN1.SGM
05DEN1
]]>Agencies
[Federal Register Volume 76, Number 233 (Monday, December 5, 2011)]
[Notices]
[Pages 75883-75885]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-31158]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 092 3184]
Facebook, Inc.; Analysis of Proposed Consent Order To Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before December 30, 2011.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``Facebook, File No. 092
3184'' on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/facebookconsent, by following the
instructions on the Web-based form. If you prefer to file your comment
on paper, mail or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Room H-113 (Annex
D), 600 Pennsylvania Avenue NW., Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Laura Berger (202) 326-8364), FTC,
Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 the
Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that
the above-captioned consent agreement containing a consent order to
cease and desist, having been filed with and accepted, subject to final
approval, by the Commission, has been placed on the public record for a
period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for November 29, 2011), on the World Wide Web, at https://www.ftc.gov/os/actions.shtm. A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue NW., Washington, DC
20580, either in person or by calling (202) 326-2222.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before December 30,
2011. Write ``Facebook, File No. 092 3184'' on your comment. Your
comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to
remove individuals' home contact information from comments before
placing them on the Commission Web site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which is obtained from any person and which is privileged or
confidential,'' as provided in Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do
not include competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept
[[Page 75884]]
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/facebookconsent by following the instructions on the Web-based
form. If this Notice appears at https://www.regulations.gov/#!home, you
also may file a comment through that Web site.
If you file your comment on paper, write ``Facebook, File No. 092
3184'' on your comment and on the envelope, and mail or deliver it to
the following address: Federal Trade Commission, Office of the
Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue NW.,
Washington, DC 20580. If possible, submit your paper comment to the
Commission by courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before December 22, 2011. You can find more
information, including routine uses permitted by the Privacy Act, in
the Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent agreement from Facebook, Inc. (``Facebook'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
Since at least 2004, Facebook has operated https://www.facebook.com,
a social networking Web site that enables a consumer who uses the site
(``user'') to create an online profile and communicate with other
users. Among other things, a user's online profile can include
information such as the user's name, a ``profile picture,'' interest
groups they join, a ``Friend List'' of other users who are the user's
``Friends'' on the site, photo albums and videos they upload, and
messages and comments posted by them or by other users. Users can also
use third-party applications through the site (``Apps'') to, for
example, play games, take quizzes, track their physical fitness
routines for comparison to their friends' routines, or receive discount
offers or calendar reminders. As of August 2011, Facebook had more than
750 million users.
The Commission's complaint alleges eight violations of Section 5(a)
of the FTC Act, which prohibits deceptive and unfair acts or practices
in or affecting commerce, by Facebook:
Facebook's Deceptive Privacy Settings: Facebook
communicated to users that they could restrict certain information they
provided on the site to a limited audience, such as ``Friends Only.''
In fact, selecting these categories did not prevent users' information
from being shared with Apps that their Friends used.
Facebook's Deceptive and Unfair December 2009 Privacy
Changes: In December 2009, Facebook changed its site so that certain
information that users may have designated as private--such as a user's
Friend List --was made public, without adequate disclosure to users.
This conduct was also unfair to users.
Facebook's Deception Regarding App Access: Facebook
represented to users that whenever they authorized an App, the App
would only access the information of the user that it needed to
operate. In fact, the App could access nearly all of the user's
information, even if unrelated to the App's operations. For example, an
App that provided horoscopes for users could access the user's photos
or employment information, even though there is no need for a horoscope
App to access such information.
Facebook's Deception Regarding Sharing with Advertisers:
Facebook promised users that it would not share their personal
information with advertisers; in fact, Facebook did share this
information with advertisers when a user clicked on a Facebook ad.
Facebook's Deception Regarding Its Verified Apps Program:
Facebook had a ``Verified Apps'' program through which it represented
that it had certified the security of certain Apps when, in fact, it
had not.
Facebook's Deception Regarding Photo and Video Deletion:
Facebook stated to users that, when they deactivate or delete their
accounts, their photos and videos would be inaccessible. In fact,
Facebook continued to allow access to this content even after a user
deactivated or deleted his or her account.
Safe Harbor: Facebook deceptively stated that it complied
with the U.S.-EU Safe Harbor Framework, a mechanism by which U.S.
companies may transfer data from the European Union to the United
States consistent with European law.
The proposed order contains provisions designed to prevent Facebook
from engaging in practices in the future that are the same or similar
to those alleged in the complaint.
Part I of the proposed order prohibits Facebook from
misrepresenting the privacy or security of ``covered information,'' as
well as the company's compliance with any privacy, security, or other
compliance program, including but not limited to the U.S.-EU Safe
Harbor Framework. ``Covered information'' is defined broadly as
``information from or about an individual consumer, including but not
limited to: (a) A first or last name; (b) a home or other physical
address, including street name and name of city or town; (c) an email
address or other online contact information, such as an instant
messaging user identifier or a screen name; (d) a mobile or other
telephone number; (e) photos and videos; (f) Internet Protocol (``IP'')
address, User ID, or other persistent identifier; (g) physical
location; or (h) any information combined with any of (a) through (g)
above.''
Part II of the proposed order requires Facebook to give its users a
clear and prominent notice and obtain their affirmative express consent
before sharing their previously-collected information with third
parties in any way that materially exceeds the restrictions imposed by
their privacy settings. A ``material . . . practice is one which is
likely to affect a consumer's choice of or conduct regarding a
product.'' FTC Policy Statement on Deception, Appended to Cliffdale
Associates, Inc., 103 F.T.C. 110, 174 (1984).
Part III of the proposed order requires Facebook to implement
procedures reasonably designed to ensure that a user's covered
information cannot be accessed from Facebook's servers after a
reasonable period of time, not to exceed
[[Page 75885]]
thirty (30) days, following a user's deletion of his or her account.
Part IV of the proposed order requires Facebook to establish and
maintain a comprehensive privacy program that is reasonably designed
to: (1) Address privacy risks related to the development and management
of new and existing products and services, and (2) protect the privacy
and confidentiality of covered information. The privacy program must be
documented in writing and must contain controls and procedures
appropriate to Facebook's size and complexity, the nature and scope of
its activities, and the sensitivity of covered information.
Specifically, the order requires Facebook to:
Designate an employee or employees to coordinate and be
responsible for the privacy program;
Identify reasonably-foreseeable, material risks, both
internal and external, that could result in the unauthorized
collection, use, or disclosure of covered information and assess the
sufficiency of any safeguards in place to control these risks;
Design and implement reasonable controls and procedures to
address the risks identified through the privacy risk assessment and
regularly test or monitor the effectiveness of these controls and
procedures;
Develop and use reasonable steps to select and retain
service providers capable of appropriately protecting the privacy of
covered information they receive from respondent, and require service
providers by contract to implement and maintain appropriate privacy
protections; and
Evaluate and adjust its privacy program in light of the
results of the testing and monitoring, any material changes to its
operations or business arrangements, or any other circumstances that it
knows or has reason to know may have a material impact on the
effectiveness of its privacy program.
Part V of the proposed order requires that Facebook obtain within
180 days, and every other year thereafter for twenty (20) years, an
assessment and report from a qualified, objective, independent third-
party professional, certifying, among other things, that it has in
place a privacy program that provides protections that meet or exceed
the protections required by Part IV of the proposed order; and its
privacy controls are operating with sufficient effectiveness to provide
reasonable assurance that the privacy of covered information is
protected.
Parts VI through X of the proposed order are reporting and
compliance provisions. Part VI requires that Facebook retain all
``widely disseminated statements'' that describe the extent to which
respondent maintains and protects the privacy, security, and
confidentiality of any covered information, along with all materials
relied upon in making such statements, for a period of three (3) years.
Part VI further requires Facebook to retain, for a period of six (6)
months from the date received, all consumer complaints directed at
Facebook, or forwarded to Facebook by a third party, that relate to the
conduct prohibited by the proposed order, and any responses to such
complaints. Part VI also requires Facebook to retain for a period of
five (5) years from the date received, documents, prepared by or on
behalf of Facebook, that contradict, qualify, or call into question its
compliance with the proposed order. Part VI additionally requires
Facebook to retain for a period of three (3) years, each materially
different document relating to its attempt to obtain the affirmative
express consent of users referred to in Part II, along with documents
and information sufficient to show each user's consent and documents
sufficient to demonstrate, on an aggregate basis, the number of users
for whom each such privacy setting was in effect at any time Facebook
has attempted to obtain such consent. Finally, Part VI requires that
Facebook retain all materials relied upon to prepare the third-party
assessments for a period of three (3) years after the date that each
assessment is prepared.
Part VII requires dissemination of the order now and in the future
to principals, officers, directors, and managers, and to all current
and future employees, agents, and representatives having supervisory
responsibilities relating to the subject matter of the order. Part VIII
ensures notification to the FTC of changes in corporate status. Part IX
mandates that Facebook submit an initial compliance report to the FTC
and make available to the FTC subsequent reports. Part X is a provision
``sunsetting'' the order after twenty (20) years, with certain
exceptions.
The purpose of the analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the complaint or proposed order, or to modify the
proposed order's terms in any way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2011-31158 Filed 12-2-11; 8:45 am]
BILLING CODE 6750-01-P
