On 9/11/12, the Federal Trade Commission, in an effort to protect consumers and prevent fraudulent, deceptive, and unfair business practices, approved a final settlement agreement with the social networking site MySpace over charges that MySpace misrepresented its protection of user’s personal information, an alleged violation of Section 5 of the FTC Act. MySpace is a social networking site with 25 million users worldwide who create custom online profiles of themselves for other users to view. When a profile is created on MySpace a unique identifier is assigned to that user which MySpace calls a “Friend ID.” The Friend ID can be used to access a user’s age, gender, profile picture, display name, and even the user's full name. A user’s profile may also contain additional information such as pictures, video’s, music, hobbies, interests, and lists of users' friends.
MySpace promised under the privacy policy posted on its Web site that it would not share a user’s personally identifiable information or otherwise exploit such information in a way that was inconsistent with the purpose for which it was submitted without first giving notice to and receiving permission from the user. A user’s personally identifiable information is defined by MySpace’s privacy policy as the user's full name, email address, mailing address, telephone number, or credit card number. Furthermore, the privacy policy also promised that the means through which it customized ads would not allow advertisers to access personally identifiable information or individually identify users.
MySpace earns revenue by allowing third-party or affiliate advertising networks to place advertisements directly on its site. According to the FTC, MySpace misled users about what information third-party advertisers received about them. The FTC charged that MySpace provided advertisers with the Friend ID of users who were viewing particular pages on the site. The advertisers were then able to use the Friend ID to easily access a user's MySpace profile to obtain personal information publicly available on the profile to link broader web-browsing activity to a specific individual. Additionally, the FTC alleges that MySpace made false statements about its compliance with U.S.-EU Safe Harbor Framework which is in place to protect the transfer of personal information from the European Union to the United States.
The settlement proposed by the FTC prohibits MySpace from misrepresenting the degree to which it protects the privacy of users’ personal information or to which it complies with other programs such as the U.S.-E.U. Safe Harbor Framework. The settlement also requires MySpace to take immediate action to develop a comprehensive privacy program to protect consumers’ information, including mandatory biennial audits of that program for 20 years by an independent third party.
The FTC notes that the administrative complaint issued against MySpace that led to the settlement agreement is not a finding or ruling that MySpace actually violated a law nor is the settlement agreement an admission by MySpace that it violated the law. However, now that the FTC has voted to accept the settlement agreement it carries the force of law with respect to future actions and each violation of such an order may result in a civil penalty of up to $16,000.
What does this mean for businesses and their privacy policies? Companies that collect a consumer’s personal information have a legal responsibility to stand by what is promised in their privacy policies and may share personal information or otherwise use the information only after first giving notice and, if required by the policy or applicable law, receiving permission from the consumers. It is important for companies to make an effort to craft their privacy policies in a more transparent manner for consumers. The FTC is making sure that companies are living up to their privacy policies and will take legal action against a company that has violated consumers’ privacy rights. If a company violates a consumer’s privacy rights it could lead to an assessment of monetary damages and it may possibly have a damaging effect on a companies goodwill. Therefore, it is important for a company to regularly review their privacy policies and make sure it provides for the utmost protection of a consumer’s personal information and to be certain that the company is in full compliance with its policy.
(written by Jeff Wells, Fall 2012 IBLT Entrepreneurship Assistance Fellow)
No comments:
Post a Comment