The day after news leaked about Facebook’s plans for a blockbuster initial stock offering, the Federal Trade Commission announced a proposed consent order that would rein in the social network’s freewheeling approach to its users’ personal information. The order reiterates an important principle that has been guiding the commission’s approach to online privacy: Consumers, not Facebook, get to decide how their personal information will be shared online.
Facebook’s approach to privacy has improved over the years, but it’s still capable of egregious missteps. One example is its decision in 2009 to make all the profile photos users had uploaded public, even if they had previously instructed Facebook to limit access to them.
Although the company admits no wrongdoing, the tentative settlement would impose a series of requirements on Facebook that should give users more control over the personal information they’ve shared with friends and acquaintances online. Technology changes so rapidly that regulators risk deterring companies and competitors from innovating their way to better privacy controls. The requirements imposed by the proposed order avoid that problem by setting standards for Facebook to meet, not prescribing methods for how to do so.
One of the order’s mandates would require Facebook to stop misleading users about the information it disclosed to third parties. Another would bar Facebook from disclosing any “nonpublic” information —anything that a user had told Facebook not to reveal to the entire Internet — until it obtained the user’s permission. A third would force Facebook to submit independent audit reports on its privacy controls for 20 years — a burden that should help persuade other online companies to voluntarily follow the order’s privacy blueprint.
These are important steps, and consistent with the approach the commission took with the Google Buzz social network. The message, again, is that users don’t automatically give online companies carte blanche to use personal information just because they posted it online. The commission expressed that most clearly when it required Facebook to stop giving third parties access to information that users thought they had deleted or profiles they had terminated. That Facebook wasn’t doing so already suggests that, no matter how many times Chief Executive Mark Zuckerberg says “everyone needs complete control over who they share with at all times,” he doesn’t really understand what that means.