Facebook’s 2011 FTC Consent Order
- Facebook Overrode Users’ Privacy Settings And Allowed Device Makers To Access Personal Data: Facebook had secret arrangements with at least 60 device makers granting them access to users' personal data, according to a report by the New York Times. Facebook overrode users privacy settings to allow companies to access sensitive information that users' had explicitly set to private. These arrangements directly contradict Facebook's previous statements that it cut off third party access to user data in 2015. Facebook is already under FTC investigation for violating a 2011 Consent Order that EPIC and consumer privacy organizations obtained. The Order bars Facebook from disclosing data to third parties without explicit consent. EPIC recently urged the FTC to enforce the Consent Order following revelations that Facebook allowed Cambridge Analytica to access the data of 87 million users. In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jun. 5, 2018)
- EPIC Obtains Partial Release of 2017 Facebook Audit: EPIC has obtained a redacted version of the 2017 Facebook Assessment required by the 2012 Federal Trade Commission Consent Order. The Order required Facebook to conduct biennial assessments from a third-party auditor of Facebook's privacy and security practices. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, and 2017 Facebook Assessments as well as related records. The 2017 Facebook Assessment, prepared by PwC, stated that "Facebook's privacy controls were operating with sufficient effectiveness" to protect the privacy of users. This assessment was prepared after Cambridge Analytica harvested the personal data of 87 million Facebook users. In a statement to Congress for the Facebook hearings last week, EPIC noted that FTC Commissioners represented that the Consent Order protected the privacy of hundreds of millions of Facebook users in the United States and Europe. (Apr. 20, 2018)
- Senator Blumenthal Calls On FTC To Enforce Consent Order Against Facebook (Apr. 20, 2018) +
- EPIC Urges Senate to Focus on FTC Consent Order with Facebook (Apr. 9, 2018) +
- UPDATE - EPIC, Consumer Groups Urge FTC to Investigate Facebook's Use of Facial Recognition (Apr. 6, 2018) +
- EPIC, Consumer Groups to Urge Federal Trade Commission to Investigate Facebook's Use of Facial Recognition (Apr. 5, 2018) +
- State AGs Launch Facebook Investigation (Mar. 26, 2018) +
- FTC Confirms Investigation Into Facebook about 2011 Consent Order (Mar. 26, 2018) +
- EPIC FOIAs FTC, Seeks Facebook's Privacy Assessments (Mar. 20, 2018) +
- EPIC, Consumer Groups Urge FTC To Investigate Facebook (Mar. 20, 2018) +
- Facebook "Breach" Highlights Failure of FTC to Enforce Consent Orders (Mar. 19, 2018) +
- EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees (Feb. 13, 2018) +
- EPIC Calls for Greater FTC Enforcement (Sep. 28, 2017) +
- EPIC Urges Public Comments on FTC Settlement with Uber (Sep. 6, 2017) +
- Following EPIC Complaint, Uber Agrees To Stop Tracking Riders (Aug. 29, 2017) +
- After EPIC Privacy Complaint, Uber Settles with FTC (Aug. 15, 2017) +
- Rep. Blackburn Proposes Online Privacy Bill, Would Preempt Stronger State Protections (May. 19, 2017) +
- EPIC, CDD Charge WhatsApp Policy Change Unlawful, Urge FTC to Act (Aug. 29, 2016) +
- With New Policy Changes, Facebook Tracks Users Across the Web (Feb. 4, 2015) +
- Facebook Responds to EPIC Complaint About "Emotions Study" (Oct. 2, 2014) +
- European Facebook Users Privacy Lawsuit Moves Forward (Aug. 26, 2014) +
- Following EPIC Complaint, Senator Seeks Investigation of Facebook User Manipulation Study (Jul. 17, 2014) +
- EPIC Challenges Facebook's Manipulation of Users, Files FTC Complaint (Jul. 3, 2014) +
- EPIC Urges FTC to Protect Snapchat Users' Privacy (Jun. 10, 2014) +
- Federal Trade Commission Urges Court to Protect Student Privacy (May. 29, 2014) +
- EU Court Rules Google Must Respect Right to Delete Links (May. 13, 2014) +
- EPIC's Snapchat Privacy Complaint Results in 20-Year FTC Consent Order (May. 8, 2014) +
- FTC Responds to EPIC Complaint on WhatsApp and Privacy (Apr. 10, 2014) +
- Federal Trade Commission Backs Users in Facebook Privacy Case (Mar. 21, 2014) +
- WhatsApp Founder Responds to EPIC Privacy Complaint (Mar. 18, 2014) +
- EPIC Urges FTC Investigation of WhatsApp Sale to Facebook (Mar. 6, 2014) +
- EPIC Files Amicus Brief in Facebook Consumer Privacy Case, Urges Rejection of Settlement (Feb. 21, 2014) +
- Instagram Retreats on Changes to Terms of Service, Cites User Opposition (Dec. 21, 2012) +
- Facebook Updates Privacy Controls, Removes Profiles Safeguard (Dec. 13, 2012) +
- Judge Rejects Settlement in Facebook "Sponsored Stories" Case (Aug. 21, 2012) +
- FTC Finalizes Settlement with Facebook (Aug. 10, 2012) +
- Judge Skeptical of Facebook Settlement (Aug. 3, 2012) +
- Facebook Timeline Changes User Privacy Settings. Again. (Dec. 15, 2011) +
- Federal Trade Commission Announces Settlement in EPIC Facebook Privacy Complaint (Nov. 29, 2011) +
- FTC Releases Agenda for Facial Recognition Workshop (Nov. 22, 2011) +
- WSJ: Facebook Close to Settlement with FTC over EPIC Complaint (Nov. 10, 2011) +
- Sen. Rockefeller Requests FTC Report on Facial Recognition Technology (Oct. 20, 2011) +
- Facebook Makes Some Changes, Privacy Complaints Still Pending (Aug. 29, 2011) +
- Facebook Makes Changes to Facial Recognition; Still Relying on Opt-Out (Jul. 27, 2011) +
- Congressman Markey Commends EPIC, Privacy Groups for Filing Facebook Complaint (Jun. 14, 2011) +
- EPIC Files Complaint, Urges Investigation of Facebook's Facial Recognition Techniques (Jun. 10, 2011) +
- Facebook Resumes Plan to Disclose User Home Addresses and Mobile Phone Numbers (Mar. 2, 2011) +
- Congressman Barton and Markey Challenge Facebook on Disclosure of Home Addresses, Mobile Phone Numbers (Feb. 2, 2011) +
- Facebook Drops Plan to Disclose Users' Home Addresses and Personal Phone Numbers (Jan. 18, 2011) +
- Congressmen Question Facebook About Latest Privacy Breach (Oct. 20, 2010) +
- Facebook "Places" Embeds Privacy Risks, Complicated and Ephemeral Opt-Out Unfair to Users (Aug. 19, 2010) +
- Federal Trade Commission Takes Action Against Twitter, Social Network Service Settles Charges It Deceived Consumers (Jun. 24, 2010) +
- Congress Pursues Investigation of Google and Facebook's Business Practices (Jun. 1, 2010) +
- Facebook Expected to Announce Privacy Changes (May. 25, 2010) +
- New Facebook Privacy Complaint Filed with Trade Commission (May. 5, 2010) +
- Senators Oppose Facebook Changes, Schumer Urges Trade Commission to Regulate Social Network Services (Apr. 27, 2010) +
- EPIC’s Facebook Complaint of "particular interest" to FTC (Jan. 19, 2010) +
- Privacy Groups File Amended Complaint regarding Facebook (Jan. 14, 2010) +
- EPIC Seeks Facebook Communications Detailing Privacy Changes (Dec. 29, 2009) +
- EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission (Dec. 17, 2009) +
- Facebook Asks Users to Review Privacy Settings, Recommends Privacy Options, Questions Remain (Dec. 9, 2009) +
More top news
2004: Mark Zuckerberg starts Facebook as a social networking site for Harvard Undergraduates
2006: Facebook launches "News Feed," which allowed Facebook to post information directly to a user's page. Within 24 hours, hundreds of thousands of the site's users protested, prompting Mark Zuckerberg to write an open letter to Facebook users apologizing for doing a "bad job of explaining what the new features were and an even worse job of giving you control of them." Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.
2007: Facebook launches Facebook Beacon, a program that broadcast users' private online purchases on their friends' News Feeds. Users were given no advance warning of the program and could not opt out. As a result of widespread criticism, Facebook shut down Beacon in 2009.
June 11, 2008: EPIC President Marc Rotenberg testifies before Congress on social network privacy:
Users of social networking sites are also exposed to the information collection practices of third party social networking applications. On Facebook, installing applications grants this third party application provider access to nearly all of a user's information. Significantly, third party applications do not only access the information about a given user that has added the application. Applications by default get access to much of the information about that user's friends and network members that the user can see.
February 4, 2009: Facebook changes its Terms of Service. The revised TOS allow Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could "deactivate" their account, but all the information would be retained by Facebook, rather than deleted. EPIC plans to file a complaint with the FTC alleging that the new TOS violated the FTC Act.
February 18, 2009: On the eve of EPIC's FTC complaint, Facebook backs down on its revised TOS, announcing that it will restore the original TOS.
December 17, 2009: EPIC and consumer organizations file a complaint with the FTC alleging that Facebook's privacy practices were unfair and deceptive. The complaint warns that Facebook granted third party apps unrestricted access to user data without users' knowledge or consent.
July 29, 2010: EPIC urges Congress to strengthen privacy laws for Facebook users. In prepared testimony, EPIC President Marc Rotenberg urged lawmakers to update federal law to protect the privacy of Facebook users, explaining that Facebook's constant changes to its privacy settings have made it virtually impossible for users to control who gets access to their information.
September 29, 2011: EPIC writes a letter to the FTC urging it to stop Facebook from using cookies to secretly track Internet users "even after they have logged off of Facebook."
November 29, 2011: Facebook settles FTC charges that it deceived consumers by failing to keep privacy promises. The FTC issued an eight-count complaint against Facebook alleging unfair and deceptive practices by Facebook:
- In December 2009, Facebook changed its website so certain information that users may have designated as private - such as their Friends List - was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data - data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences - for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
Under the proposed FTC Order, Facebook was:
- barred from making misrepresentations about the privacy or security of consumers' personal information;
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
In its announcement of the settlement, the FTC noted that "Facebook's privacy practices were the subject of complaints filed with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups."
December 27, 2011: EPIC's comments urge the FTC to strengthen the proposed order. Specifically, EPIC's recommended that the FTC require Facebook to:
- Allow users to access all of the data that Facebook keeps about them;
- Cease creating facial recognition profiles without users' affirmative consent;
- Make Facebook's privacy audits publicly available to the greatest extent possible;
- Cease secret post-log out tracking of users across websites.
In a separate letter, EPIC also asked the Commission to determine whether Facebook's Timeline, which made archived and inaccessible information widely available without the consent of the user, was consistent with the terms of the Order.
August 10, 2012: The FTC adopts a Final Order against Facebook without any modifications.
2012 - 2018: The FTC never charges Facebook with a single violation of the Consent Order despite numerous complaints.
March 20, 2018: EPIC and consumer groups urge the FTC to investigate Facebook following revelations that Facebook permitted the disclosure of 87 million user records to the controversial political data mining firm Cambridge Analytica.
March 26, 2018: The FTC confirms an investigation into Facebook.
- EPIC FTC Complaint In re Facebook (filed Dec. 17, 2009)
- EPIC FTC Supplemental Complaint In re Facebook (filed Jan. 14, 2010)
- FTC Complaint In the Matter of Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011).
- FTC Press Release Announcing Proposed Consent Order (Nov. 29, 2011).
- FTC Analysis of Proposed Consent Order to Aid in Public Comment
- EPIC Comments on Proposed Consent Order (Dec. 27, 2011).
- EPIC Letter to the FTC Concerning Facebook Timeline (Dec. 27, 2011)
- FTC Decision and Order (Aug. 10, 2012)
- EPIC Letter to FTC Urging Investigation into Facebook (Mar. 20, 2018)