WASHINGTON (Reuters) - Facebook will be required to get user consent for certain changes to privacy settings as part of a settlement of federal charges that it deceived consumers and forced them to share more personal information than they intended.
The settlement with the U.S. Federal Trade Commission will also subject the company, which is reported to preparing a $10 billion initial public offering, to 20 years of independent audits.
“I’m the first to admit that we’ve made a bunch of mistakes,” co-founder Mark Zuckerberg wrote in a lengthy post on the company’s official blog on Tuesday.
To ensure that Facebook did a better job, Zuckerberg said the company had created two new corporate privacy officer positions to oversee Facebook products and policy.
In its complaint, the FTC said that Facebook had repeatedly violated laws against deceptive and unfair practices. For example, it said Facebook promised users that it would not share personal information with advertisers, but it did.
Also, the company had failed to warn users that it was changing its website in December 2009 so that certain information that users had designated as private, such as their “Friends List,” would be made public, the FTC said.
Chris Conley, policy attorney with the American Civil Liberties Union of Northern California said the settlement “makes it clear that companies can’t simply change the rules without asking users’ permission.”
But he said that to keep pace with new technology, there was a need for new laws and tools.
“We shouldn’t have to struggle with complicated and constantly shifting privacy settings just to keep control of our own personal information,” Conley said.
Facebook, which has more than 800 million users, has often been criticized for its privacy practices since its founding in a Harvard dorm room in 2004.
Earlier this year, the company came under fire for practices related to its use of facial recognition technology to automatically identify people appearing in the photos that are shared on the service.
On a conference call with reporters on Tuesday, FTC officials said the settlement did not expressly cover the use of facial recognition technology.
They noted, however, that it was broadly crafted so that it would prevent Facebook from deceiving consumers going forward.
If Facebook is found to have violated any of the provisions of the settlement, the company is subject to fines of $16,000 per day for each violation, FTC Chairman Jon Leibowitz said.
“Nothing in this order will restrict Facebook’s ability to innovate,” said Leibowitz. But, he added, “Facebook’s innovation does not have to come at the expense of consumer privacy.”
Under the settlement, which must be approved by an FTC administrative law judge, Facebook is barred from being deceptive about how it uses personal information, and is required to get permission before changing the visibility of the personal information users have posted.
The settlement follows a similar agreement in March between the FTC and Google Inc over the Web search leader’s rollout of its own social network called Buzz.
In 2010, the FTC settled charges with Twitter, after the agency alleged that the social networking service had failed to safeguard users’ personal information.
Ray Valdes, an analyst at industry research firm Gartner, said he did not think the timing of the settlement was directly related to Facebook’s IPO plans.
“I don’t think it’s directly tied to the IPO. The IPO is still off in the distance,” he said, but added: “There’s some connection. I’d make more of a direct link if this was happening in January.”
Reporting by Diane Bartz and Alexei Oreskovic; Editing by Tim Dobbyn and Ted Kerr