Myspace Settles FTC Charges That It Mislead Users About Privacy

 Settlement Will Require Regular Privacy Assessments for the Next 20 Years

Social networking service Myspace has agreed to settle Federal Trade Commission charges that it misrepresented its protection of users’ personal information. The settlement, part of the FTC’s ongoing efforts make sure companies live up to the privacy promises they make to consumers, bars Myspace from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy assessments for the next 20 years.

The Myspace social network has millions of users who create and customize online profiles containing substantial personalized content. Myspace assigns a persistent unique identifier, called a “Friend ID,” to each profile created on Myspace. A user’s profile publicly discloses his or her age, gender, profile picture (if the user chooses to include one), display name, and, by default, the user’s full name. User profiles also may contain additional information such as pictures, hobbies, interests, and lists of users’ friends.

Myspace’s privacy policy promised it would not share users personally identifiable information, or use such information in a way that was inconsistent with the purpose for which it was submitted, without first giving notice to users and receiving their permission to do so. The privacy policy also promised that the information used to customize ads would not individually identify users to third parties and would not share non-anonymized browsing activity.

Despite the promises contained in its privacy policy, the FTC charged, Myspace provided advertisers with the Friend ID of users who were viewing particular pages on the site. Advertisers could use the Friend ID to locate a user’s Myspace profile to obtain personal information publicly available on the profile and, in most instances, the user’s full name. Advertisers also could combine the user’s real name and other personal information with additional information to link broader web-browsing activity to a specific individual. The agency charged that the deceptive statements in its privacy policy violated federal law.

In addition, Myspace certified that it complied with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States. As part of its self-certification, Myspace claimed that it complied with the Safe Harbor Principles, including the requirements that consumers be given notice of how their information will be used and the choice to opt out. The FTC alleged that these statements were false.

The proposed settlement order bars Myspace from misrepresenting the extent to which it
protects the privacy of users’ personal information or the extent to which it belongs to or complies with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor Framework. The order also requires that Myspace establish a comprehensive privacy program designed to protect consumers’ information, and to obtain biennial assessments of its privacy program by independent, third-party auditors for 20 years.

The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0-1, with Commissioner Maureen K. Ohlhausen not participating. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through June 8, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments can be filed electronically at this link. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondent has actually violated the law. A consent agreement is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call
1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook and follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

Share