According to the FTC’s complaint, the policy indicated that Myspace would not share personal information except as described in the policy without first giving notice and receiving permission from the user. The policy also said that information used by third parties to customize ads would not identify to those third parties the identity of the user and that non-anonymized browsing activity would not be shared. But, charged the FTC, these promises didn’t square with reality.
The FTC alleged that Myspace provided advertisers with the “Friend ID” of users who were viewing particular pages on the site. Although a Friend ID itself does not provide a user’s name, the complaint alleged that, because of a default setting on the site, an advertiser could use the Friend ID to access a user’s full profile, which often contains a user’s full name. Advertisers could also combine a user’s real name and other information to link web browsing activity to specific individuals. A user had to override the default setting if she wanted to hide her full name.
In addition, Myspace had publicly certified with the Department of Commerce that its practices were in compliance with the U.S.-EU Safe Harbor Framework, which requires adherence to specific data privacy and security principles and practices as a means for a US company to obtain personal data from entities in the European Union in accordance with the EU Data Protection Directive. The FTC complaint alleged that Myspace failed to adhere to those principles and, thus, that its Safe Harbor certification was a false representation in violation of section 5 of the FTC Act.
The settlement agreement has many parts. Myspace is prohibited from misrepresenting how it maintains and protects the privacy and confidentiality of users’ personal information and from misrepresenting compliance with any privacy or security program, such as the Safe Harbor Framework. Myspace is also required to implement a comprehensive privacy program to address privacy risks associated with users’ information. As part of the program, Myspace must designate an employee or employees to coordinate the program, identify reasonably-foreseeable material risks relating to disclosure and assess the sufficiency of safeguards to protect against those risks, and regularly test the effectiveness of those safeguards. Finally, every other year for the next 20 years, Myspace must have its privacy program evaluated by an objective, independent professional who will have to certify that the program’s protections meet or exceed the settlement’s conditions.