European Commission focuses attention on Facebook privacy practices
Such an effort to regulate Facebook and its ilk in the United States would be a more difficult challenge, given the emphasis under current laws on making sure companies do what they say they will do (that is, that action matches policy), but without any requirement as to the specific practices they have to adopt. (A notable exception is with respect to data collection from minors under the age of 13.) The governing law for U.S. companies is the Federal Trade Commission Act (15 U.S.C. §45), which empowers the FTC to prevent unfair or deceptive trade practices — acting counter to published privacy policies is typically considered a deceptive trade practice. Despite the fact that Facebook explicitly reserves the right to change its privacy practices and terms of service at any time in its Statement of Rights and Responsibilities, the changes it implemented in December 2009 prompted a complaint to the FTC by a group of privacy and consumer advocates, arguing that the nature of the changes violated consumer protection laws. To date the FTC has taken no action in response to the complaint, although Facebook has been discussed in FTC-sponsored forums such as the Exploring Privacy roundtable series.
Facebook has used the attention surrounding the changes in its privacy practices to spin the story into a positive tale of increased consumer awareness of personal privacy. During the second session in the privacy roundtable series, Facebook’s Director of Public Policy Tim Sparapani cited user statistics that 35% of its 350 million users were prompted by the change to actually go to the privacy settings section of their accounts and configure them. By any accounting, that’s a lot of users, but a more interesting metric might be how many current users have not taken any action (even making a decision to accept the new default settings). Perhaps if more users were made aware of how Facebook’s privacy practice facilitated third-party harvesting of personal data such as contact information, more of them would be motivated to act.