Yesterday, the Federal Trade Commission (“FTC”) approved an agreement with MySpace to settle charges that the company misrepresented the extent to which it shared personal information with third-party advertisers.  MySpace’s privacy policy suggested that it would not share personally identifiable information (“PII”) with third parties without the user’s permission, but the Commission alleged that this statement was false or misleading because the company shared “Friend IDs” with advertisers.  These Friend IDs provided third parties with access to a user’s basic profile information, which often includes PII.  The Commission’s complaint also claimed that MySpace misrepresented the extent to which advertisers could access PII or identify users when customizing ads, the extent to which web browsing histories shared with advertisers were anonymized, and the extent to which MySpace’s practices complied with its US-EU Safe Harbor obligations.

The Commission published the settlement in the Federal Register and provided for a 30-day public comment period, during which Electronic Privacy Information Center (“EPIC”) suggested additional obligations on MySpace.  The settlement prohibits similar misrepresentations about the “the extent to which [MySpace] maintains and protects the privacy and confidentiality” of certain PII.  In addition, MySpace is required to establish, implement, and maintain “a comprehensive privacy program” and must submit to biennial privacy audits for a period of 20 years. One important consequence of these settlements is that the Commission may seek civil penalties if the settlement is later violated.