HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The FTC’s complaint (PDF) alleges that Facebook violated Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, by repeatedly failing to live up to the privacy promises it made to its now approximately 750 million users. The complaint sets forth the following instances in which Facebook allegedly made unfair or deceptive promises concerning its privacy practices:

• Deceptive Privacy Settings:  Although Facebook informed users that they could “control who can see” their profile information by using privacy settings to restrict access to their profiles, these settings did not prevent certain third party applications from accessing users’ profile information.
• Unfair and Deceptive Privacy Changes:  Facebook made changes to its website that made public information that users previously designated as private, without adequate notice to the users (much like what was alleged in the Google Buzz consent decree).
• Deception Regarding Application Access:  Facebook represented to users that third-party applications would only be able to access such user profile information that was necessary to operate the application, but in some instances applications were given nearly unlimited access to users’ profile information.
• Deception Regarding Sharing with Advertisers:  Facebook promised that it would not share users’ information with third-party advertisers, but it provided advertisers with information about its users.
• Deception Regarding “Verified Apps” Program:  Facebook claimed that it verified the security of applications that sought certification through the “Verified Apps” program, but it took no steps to verify the security of a “Verified” application beyond those which it may have taken regarding any other application.
• Deception Regarding Deletion of User Content:  Facebook represented to its users that their profile information, including photos and videos, would be inaccessible upon the deletion of their accounts, but Facebook continued to allow third parties to access this content after the users’ accounts were deleted or deactivated.

The FTC’s enforcement action against Facebook is yet another example of the FTC’s ongoing effort to ensure that websites live up to the privacy promises they make to consumers. Jon Leibowitz, Chairman of the FTC, remarked that “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” and noted that the “FTC action will ensure” that Facebook’s innovations will not come at the expense of consumer privacy.

US-EU Safe Harbor Framework Violations

The alleged violations of Section 5 of the FTC Act also include a failure to comply with the substantive privacy requirements of the US-EU Safe Harbor Framework ("Safe Harbor").  The Safe Harbor is a voluntary framework that allows companies to transfer personal data from the EU to the US in compliance with EU law.  Since at least 2009, Facebook has maintained self-certification with the Department of Commerce under the Safe Harbor program, under which it has declared its compliance with the seven Safe Harbor privacy principles in its public Privacy Policy and on the US Department of Commerce website.  In its complaint, the FTC alleged that Facebook, due to the failure to live up to many of the representations it made about its privacy practices, failed to comply with the Safe Harbor principles of Notice and Choice that required it to inform individuals about all the purposes for which it collected their data and to give those individuals a choice about how their information would be used.  

Terms of Proposed Settlement 

Under the consent decree (PDF), the FTC bars Facebook from further misrepresenting its privacy practices and requires it to: (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) establish and maintain a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information; and (iv) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree. 

In advance of the FTC’s announcement, Mark Zuckerberg, founder and CEO of Facebook, today posted an entry on The Facebook Blog detailing the measures that Facebook will take to protect the privacy of its users. These measures include the creation of two new corporate officer roles:  Chief Privacy Officer – Policy, and Chief Privacy Officer – Products. Zuckerberg stated that the new corporate officer positions “will further strengthen the processes that ensure that privacy control is built into our products and policies.”

Pages Jaunes argued that the persons whose profiles were copied had been duly informed and consented, because the general terms and conditions of the social media sites indicate that information posted on public profiles may be accessible to search engines. 

The CNIL dismissed this argument. First, a number of the profiles that were being accessed were profiles of minors, and the informed consent of minors for this type of activity cannot be deemed to exist in these circumstances. Second, the reference to “search engines” in the social media sites’ general terms and conditions cannot be deemed to extend to companies whose principal activities are not that of a search engine. The CNIL pointed out that Pages Jaunes is a telephone directory and not a search engine. According to the CNIL, if the terms of use of the social media sites expressly mentioned that data in public profiles could be re-used by Pages Jaunes, that might constitute sufficient information and consent to allow Pages Jaunes to extract data from those sites. The CNIL pointed out that Pages Jaunes had entered into an agreement with one social media site called Trombi pursuant to which Trombi expressly mentioned on its site that data could be accessed and used by Pages Jaunes. For the major social media sites, however, no such agreement with Pages Jaunes existed. 

The CNIL also found that Pages Jaunes had breached its obligation to ensure that only accurate and updated data are processed. According to the CNIL, the profile data that was presented by Pages Jaunes was in many cases outdated by 4 to 12 months.

Pages Jaunes argued that it provided data subjects with the ability, on the Pages Jaunes website, to ask that their profile data not be accessed by Pages Jaunes, but the CNIL found that the procedures put in place by Pages Jaunes were too burdensome. A person must fill out a form and submit to Pages Jaunes proof of his or her identity for each social media site that the person wants to block. The CNIL also criticized Pages Jaunes for keeping logs of IP addresses and the time and date of queries made on the Pages Jaunes site. According to the CNIL, the retention of these data is excessive and not required under French law because Pages Jaunes is neither a telecommunications operator nor a hosting provider. Finally, the CNIL found that Pages Jaunes had violated its obligations with respect to the telephone directory data that it processes, because Pages Jaunes used that data to help refine the results of the social media profile searches. Under French law, universal directory providers are prohibited from using telephone directory data for any purpose other than providing a universal directory service. Pages Jaunes’s use of these data exceeded the scope permitted under French law.

The CNIL’s decision is a useful analysis of issues that are arising when collecting data publicly available on social media sites.

• NLRB Increases Enforcement Activity Against Discipline of Employees for Use of Social Media (May 26, 2011):  The National Labor Relations Board (NLRB) has recently expressed an interest in investigating actions taken against employees for their use of social media, including issuing administrative complaints against a car dealer that fired an employee for posting concerns on his Facebook page about the dealer's handling of a sales event, and against a nonprofit social services organization for terminating five employees that commented on Facebook about the organization's work load, staffing issues, and commitment to its clients.  These contrast against a memorandum issued by the NLRB that advised that a discharge of a newspaper reporter for posting "unprofessional and inappropriate" social networking messages to a work-related social media account did not violate the law.
• CAN-SPAM Held to Apply to Social Media Messaging (April 1, 2011):  The U.S. District Court for the Northern District of California's issued an opinion in Facebook v. MaxBounty that held that messages sent through social networking sites must comply with the federal CAN-SPAM law regulating commercial email advertising.
• FTC Announces Proposed Google Buzz Settlement:  First Time FTC Requires Comprehensive Privacy Program (March 30, 2011):  The Federal Trade Commission (FTC) announced a proposed settlement with Google relating to charges that Google used deceptive practices and violated its own privacy policies when it launched its social network Google Buzz.  For the first time ever, the FTC required that a company institute a "comprehensive privacy program" and to receive affirmative consent from consumers to any new or additional uses of previously collected data.
• FTC Enforces Against Obscure Privacy Disclosures in New Consent Decree (December 6, 2010):  The FTC entered into a consent decree with a developer of parental web-monitoring software that, without consent from parents, captured childrens' website history, chat conversations, and instant messages and incorporated them into a marketing service that provided companies with the ability to access what consumers are saying or thinking by providing aggregate consumer opinions from user-generated social media websites.  Though the company disclosed that information may be used to "improve our services" and "conduct research," the language was in the thirtieth paragraph of a policy that was contained in a small scroll box, and the FTC took the position that the failure to clearly notify parents of the usage of their childrens' data constituted a deceptive trade practice.
• NLRB Files Complaint for Employer's Allegedly Overbroad Social Media Policy (November 8, 2010):  The NLRB kicked off its recent flurry of social media activity by issuing an administrative complaint against a company for terminating an employee who, after an incident at work, criticized her supervisor on her Facebook page.  Lafe Solomon, the NLRB's acting general counsel, said, "This is a fairly straightforward case under the National Labor Relations Act -- whether it takes place on Facebook or at the water cooler, it was employees talking jointly about working conditions, in this case about their supervisor, and they have a right to do that."  The case settled early this year.
• Twitter Consent Order Evidences Broader Scope of FTC Information Security Enforcement (July 1, 2010):  The FTC entered into a consent order with social networking service provider Twitter, alleging that lapses in Twitter's data security practices resulted in unauthorized individuals gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses.  Unlike the FTC's prior data security consent orders under the FTC Act, there was no allegation of any unauthorized access to traditionally identified forms of sensitive personal information, such as Social Security numbers, financial account numbers, government ID numbers, consumer reports, or medical conditions.
• FINRA Issues Guidance on Social Networking Sites (February 9, 2010):  The Financial Industry Regulatory Authority (FINRA), an industry self-regulatory orgnaization, issued guidance to member companies on the use of blogs and social networking sites to engage in company-sponsored communications with the public.  While FINRA exercises oversight of the securities industry, the recommendations are good advice for any business that is considering communicating with or marketing to consumers through social media.
• Two Hogan & Hartson Advisories on the Use of Social Media (September 28, 2009):  We were even covering social media back before we were Hogan Lovells!  We issued an update (PDF), still relevant today, setting forth the considerations that arise when social media is used by three different groups -- an entity itself, the employees of that entity, and third parties in reference to the entity.  Also, the FDA in 2009 held a two-day public hearing at the end of that year on how pharmaceutical companies use the web and social media.  Despite it being almost two years since that hearing, the FDA just this March delayed an expected guidance on the use of social media to market pharmaceuticals.  News earlier this week that Facebook will prevent pharmaceutical companies from disabling the comments feature on their pages has caused consternation, as the FDA has implied in past statements that user comments maybe able to be ascribed to pharmaceutical companies for regulatory purposes.  Stay tuned.

In its complaint, Facebook alleged that MAXBOUNTY engaged in a misleading and deceptive advertising scheme affecting Facebook users. Facebook alleged that in furtherance of that scheme, Defendant “procure[d] Facebook users to send, or t[ook] actions that cause commercial electronic messages to be sent, to all the Facebook users’ friends on Facebook.” By procuring the messages, MAXBOUNTY would be an “initiator” under CAN-SPAM and therefore responsible for various CAN-SPAM obligations. 

In focusing on whether the messages at issue are even covered by CAN-SPAM, the court considered CAN-SPAM’s definition of “electronic mail message” which is “a message that is sent to a unique electronic mail address.” CAN-SPAM in turn defines “electronic mail address” as “a destination, commonly expressed as a string of characters, consisting of a unique user name or mailbox (commonly referred to as the ‘local part’) and a reference to an Internet domain (commonly referred to as the ‘domain part’), whether or not displayed, to which an electronic mail message can be sent or delivered.” 15 U.S.C. § 7702(5).

Because the references to the “local part,” the “domain part” and the other items are set off by commas, the court concluded that the only requirement for a message to be considered an “electronic mail message” under CAN-SPAM is a “destination . . . to which an electronic mail message can be sent.” Accordingly, the court found that messages posted to another user’s Facebook wall, news feeds or home pages are covered by the statute. The court also found it significant that the messages at issue involved “routing activity on the part of Facebook” and concluded that its interpretation was consistent with Congressional intent, which was to reduce the burden of misleading communications on the Internet.

In reaching its decision, the court relied on two U.S. District Court cases from the Central District of California involving the social networking site MySpace. Those cases involved entities establishing large numbers of MySpace profiles to send commercial and phishing “e-messages” to other MySpace users wholly within the “walled garden” or domain of the MySpace service. Unlike in MAXBOUNTY though, the messages in those cases were sent to an inbox that resembled traditional email inboxes. 

In both cases, the Central District of California concluded that the e-messages at issue were electronic mail messages under CAN-SPAM. In MySpace Inc. v. The Globe.com, Inc., No. 06-3391 (C.D. Cal. 2007), the court concluded that the definition was met because each user’s mail resided at a unique URL and the Internet destination www.myspace.com.  The court concluded that it was irrelevant that the messages were sent only within the “walled garden” of MySpace. The court in MySpace Inc. v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal. 2007) adopted the same reasoning, but went further in rejecting the defendant’s arguments that electronic mail messages must include a domain name and an external route for the message to travel. The definitional reasoning set forth in Wallace was subsequently adopted by the court in MAXBOUNTY.       

Facebook brought the suit against MAXBOUNTY in the social networking site’s capacity as a provider of “Internet access service,” the only type of entity afforded a private right of action under the CAN-SPAM Act. Under the court’s decision, even a single message posted by one Facebook user to a friend’s wall that promotes a home business could potentially be construed as an electronic mail message under CAN-SPAM. If so, these individuals would be subject to CAN-SPAM's various requirements for such messages, including identification of the message as an advertisement or solicitation, the inclusion of a return address or other conspicuously displayed mechanism for opting out of future commercial messages, and listing a physical mailing address. However, the likely of Facebook or other social networking sites suing their users under CAN-SPAM for small numbers of such individual messages seems quite low (although there might other ramifications if the activities violate a service’s terms of use). In the instant case, it appears Facebook was acting to address the broad-based deceptive activities by a third party impacting its users.  It is those entities and high volume spammers on social media sites that are likely most impacted by this decision.