What Facebook’s FTC Settlement Means for Businesses

Thursday, December 01, 2011

Kelly Colgan


By Eduard Goodman, Identity Theft 911

Whether you’re a Facebook user, a privacy wonk, or both, you’re likely aware of the social network’s settlement with the Federal Trade Commission, announced Tuesday.

Under terms of the settlement, Facebook must now get users’ permission before it changes the way their personal information is shared.

The social network also agreed to submit to privacy audits every two years for the next 20 years. Read The New York Times’ coverage of the settlement for a more in-depth explanation of the agreement.

imageThe settlement shows why it’s so important for companies to build privacy best practices into their business, preferably before the government orders them to do so.

This concept—Privacy by Design—was first developed by Dr. Ann Cavoukian, information and privacy commissioner for Ontario, Canada.

If Facebook had adopted these practices years ago, it could have avoided run-ins with U.S. and E.U. regulators.

The basic concept is actually quite simple: Companies should include privacy concepts and controls into new products and services during their development stage rather than treating privacy as an afterthought or ignoring it altogether.

Companies should think proactively about the life cycle and uses of information collected so they can have clear policies on what they do with the information down the road.

Privacy by Design (PbD) is guided by seven core principles that companies can follow and think of as their privacy “rules of engagement” so to speak. The seven principles are:

1. Proactive not Reactive; Preventative not Remedial

2. Privacy as the Default Setting

3. Privacy Embedded into Design

4. Full Functionality — Positive-Sum, not Zero-Sum

5. End-to-End Security — Full Lifecycle Protection

6. Visibility and Transparency — Keep it Open

7. Respect for User Privacy — Keep it User-Centric

These principles have been embraced by privacy authorities worldwide as the best approach for businesses regarding treatment of sensitive personal information of consumers. Each principle represents core privacy values that, if followed, are good for businesses and consumers. And they keep regulators happy.

I haven’t seen Facebook openly recognize the value of PbD. Maybe it’s because of its unprecedented growth in the last five years. Maybe it’s because as a young, brash company it doesn’t feel the need to have to set its goals regarding privacy very high.

Heck, maybe it’s because one of its financial backers is a CIA-owned venture capital group. Or maybe, it’s just because up until recently it hasn’t had to deal with more than negative press and little risk of losing users since it’s really the only game in town.

Regardless of the reason, Facebook is beginning to realize that people still care about their privacy. In the end, that means giving the user control over his information, and making privacy protection easy, clear and a default for users.

Facebook is a good case study for businesses on the costs of ignoring privacy. Downplaying the importance of how you treat and communicate your treatment of consumers’ personal information can be a big mistake.

It illustrates why adopting PbD principles early on in a product or service is critical. Mapping out how your company handles these issues early on can prevent later headaches.

Now being a sideline critic is easy and hindsight is 20/20, but Facebook is an easy company to be used as an example on why PbD matters for businesses in the 21st century.

Remember Mark Zuckerberg’s self-serving statement, referred to as Zuckerberg’s law: “Every year, people are sharing twice as much information as the previous year.”

Even if it’s true, people still care about the control of their information and privacy. And in the end that is really what this FTC settlement and PbD are all about.

image Eduard Goodman, Chief Privacy Officer, Identity Theft 911 An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.

Possibly Related Articles:
Facebook Privacy Compliance Trust FTC Settlement Privacy by Design
Post Rating I Like this!
Victor Stanescu This is a very small victory in the war of keeping our data secure online.
I would have preffered to see a steap fine applied to Facebook for all of thei lil' "mishaps" on privacy!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.