Facebook can't just up and change its privacy settings whenever it wants to. It must now obtain express consent from its users, first.
Since the settlement, Zuckerberg has penned a blog post outlining the Facebook features that the site has launched, which include friend lists, the ability to review tags before they appear on a profile, mobile versions of privacy controls, amount other notable updates. He also announced the splitting of the Chief Privacy Officer position into two parts, to be held by Erin Egan and Michael Richter in product and policy, respectively.
Facebook will now undergo privacy audits every two years for the next 20 years, which is similar to what Google experienced after the Google Buzz privacy breach.
Here are the eight big offenses that led to the FTC complaint straight from the Bureau of Consumer Protection:
1. Facebook Privacy Settings. Facebook promised its users that they could keep their information to a limited audience given the site's privacy settings, yet the FTC found that third-party apps had access to personal information.
2. Privacy Changes: Material Omission. Information that Facebook told its users was deemed private, such as friend lists, were made public.
3. Privacy Changes: Unfair Practices. Facebook did not ask for users' consent when changing the privacy of users' information and retroactively applying these changes to previously collected information.
4. Info Accessible Via Apps. Facebook claimed that the apps would only have info about users "that it requires to work." The FTC discovered that this was not true.
5. What Info Facebook Shares With Advertisers. The FTC found that from September 2008 to May 2010, Facebook "ran its site so that in many instances, the User ID of a person who clicked on an ad was share with the advertiser." This went directly against the statement that Facebook made, saying that it did not share information with advertisers.
6. Facebook's "Verified App" Program. The FTC states that Facebook "did not verify the security of a Verified App's website or the security the app provided for the information it collected, beyond the steps Facebook took for any other app." In other words, the "Verified App" seal did not symbolize anything.
7. Photo and Video Deletion. Facebook told its users that they could permanently delete photos and videos from the site. Yet each piece of content had a unique URL which, when accessed, would bring up supposedly deleted photo or video.
8. US-EU Safe Harbor Program. The FTC questions statements made by Facebook when it said it was in compliance with the US-EU Safe Harbor Framework, a way for US companies to transfer data from the EU to the United States in a way that's consistent with European law.
According to the Sophos Security Blog, in addition to the privacy audits, if the settlement proceeds, Facebook also must stop misrepresenting its security and privacy policies, obtain consent when handing personal data, establish a stronger privacy program and, perhaps most importantly, prevent people from accessing information from deleted/deactivated accounts 30 days after they have been closed.
With Facebook's new privacy audits in place and a pending IPO next summer 2012, you can bet that the 800 million-user-strong social network will start taking privacy more seriously.