Social network site Myspace promised users it wouldn’t share their personally identifiable information in a way that was inconsistent with the reason people provided the info, without first notifying them and getting their approval. The company also said that information used to customize ads wouldn’t identify people to third parties and that Myspace wouldn’t share browsing activity that wasn’t anonymous. But according to a lawsuit filed by the FTC, Myspace provided advertisers with the “Friend ID” of users who were viewing particular pages on the site. Once advertisers had the Friend ID, they could put two and two together to access lots of other personal information — including users’ full names. That meant that the company’s promises about notice, permission, and anonymous data were false and misleading. To settle the FTC’s charges, Myspace has agreed to change its practices to protect users’ privacy in the future. Part I of the proposed order prohibits Myspace from misrepresenting the privacy and confidentiality of any “covered information.” The order defines that phrase broadly as information from or about an individual consumer including, but not limited to, a first and last name; home or other physical address, including street name and city or town; email address or other online contact information, like an instant messaging user identifier or screen name; mobile or other phone number; photos and videos; IP address, User ID, device ID, or other persistent identifier; list of contacts; or physical location. That provision also makes it illegal for Myspace to misrepresent its adherence to any privacy, security, or other compliance program. That includes the US-EU Safe Harbor Framework. (In addition to violating its own privacy promises, Myspace’s claim that it complied with the Safe Harbor Principles was also false, said the FTC.) Under Part II of the order, Myspace has to implement a comprehensive privacy program designed to address privacy risks related to the development and management of existing product and services and new ones, and to protect the privacy and confidentiality of covered information. The order spells out the required features of the program. Specifically, Myspace will:
- designate the person responsible for the program;
- identify reasonably foreseeable material risks — from inside the company and out — that could result in the unauthorized collection or disclosure of covered information;
- assess the sufficiency of safeguards in place to control those risks;
- establish and maintain reasonable controls and procedures to address the risks identified through the privacy risk assessment;
- regularly test the effectiveness of the safeguards;
- take reasonable steps to ensure that service providers protect the privacy of covered information they get from Myspace, including putting privacy provisions in their contracts; and
- adjust its privacy program in light of testing, changes to how it does business, and any other circumstance Myspace has reason to know may have a material impact on the program’s effectiveness.
Part III puts in place a feature common in recent FTC orders: a requirement that every other year for the next 20 years, Myspace will have its privacy program evaluated by a qualified, objective, independent professional. That person will have to certify that Myspace provides protections that meet or go beyond the protections required by the order. Next: What the Myspace case means for your company