Last week, the FTC announced that it has agreed to end its 18-month investigation of Facebook’s privacy practices, with a settlement that involved a twenty-year compliance plan and specific steps to formalize privacy within Facebook’s organization.  Though the proposed settlement, which will now be open for public comment, has met with a range of reactions, what we’re hearing most are questions about what the development means for the rest of the industry.

In its investigation, the FTC focused on a number of privacy practices that it claimed were misleading.  For example, the agency looked at changes that Facebook made to its privacy practices in 2009 that the FTC alleged led to changes in the privacy status of certain information.  The FTC also argued that Facebook hadn’t done enough to explain to users when their information might be shared with apps by their friends and how Facebook handled deletion of information.

In settling these charges, Facebook didn’t agree to these allegations or admit that it violated the law.  Instead, the company explained in a blog post that it signed the agreement to formalize its “commitment to do the things we’ve always tried to do and planned to keep doing — giving you tools to control who can see your information and then making sure only those people you intend can see it.”  Facebook also said that it agreed to “embrace [the FTC’s] ideas” about how it could enhance its internal privacy practices.

So what lessons can you take from the Facebook agreement if you’re not Facebook and aren’t directly obligated to comply with its terms?

As the FTC made clear in a recent blog post, part of the agency’s purpose in reaching the settlement with Facebook was to send a message to other companies about what it views as the right ways to address privacy online.  The FTC took a similar approach in other high-profile privacy settlements, including with Google and Twitter, where it reached agreement with a single company and then worked to spread the word that the agreement reflected its views on best practices for companies to avoid what the FTC viewed as unfair or deceptive privacy practices.

In the settlement, Facebook agreed to implement a twenty-year compliance program, with recordkeeping and reporting obligations.  Among others, Facebook made these commitments:

  • Facebook will obtain users’ “affirmative express consent” before making any changes that override their privacy preferences.
  • Facebook will make certain disclosures to users prominently and separately from its privacy policy, which include information identifying the specific third parties with whom Facebook shares nonpublic user information and disclosing the specific categories of information that are disclosed.
  • Facebook will prevent anyone from accessing user content on its servers more than 30 days after a user deletes the content or his or her account.
  • Facebook will  implement a comprehensive privacy program, which includes a privacy risk assessment, training, and privacy and security controls and testing requirements.
  • A third-party auditor will review Facebook’s privacy practices at least once every two years.

For other companies doing business online, the FTC described a few key lessons from the Facebook agreement that it wants to send.   One is that the FTC wants companies to take a look at their existing privacy policies and settings to be sure that they’re complying — and, as importantly, that they clearly describe how they use and share the data that they collect and update the disclosures as their technology changes.  The FTC also wants companies to go beyond a standard privacy policy to make information about their practices and the choices they offer more accessible and understandable to users.  (For an example, look at Facebook’s new Data Use Policy and its inline privacy controls.)

The FTC also has signaled that it expects businesses to have a specific internal program for managing privacy at all stages — from product development to managing data storage and third-party relationships to responding to privacy incidents.  Clearly, every company’s practices will be different, but the FTC’s clear message — even before its settlement with Facebook — has been that it expects companies to be thinking about privacy before they get a call from the government.