On May 8, 2012, Myspace agreed to settle Federal Trade Commission charges that it misrepresented its protection of users’ personal information.
The two majors issues at stake were misrepresentation of privacy practices, and misrepresentation of compliance with Safe Harbor principles.
Misrepresentation of Privacy Practices
Myspace assigns a persistent unique identifier, called a “Friend ID,” to each profile created on Myspace. A user’s profile may publicly display the user’s name, age, gender, picture, hobbies, interests, and lists of users’ friends.
The Myspace privacy policy promised that it would not share a user’s personally identifiable information, or use such information in a way that was inconsistent with the purpose for which it was submitted, without prior notice to, and consent from, the user. It also promised that the information used to customize ads would not identify users to third parties and would not share non-anonymized browsing activity.
The FTC charged that Myspace provided advertisers with the Friend ID of users who were viewing particular pages on the site. Advertisers could use the Friend ID to locate a user’s Myspace profile and obtain personal information publicly available on the profile. Advertisers also could combine the user’s real name and other personal information with additional information to link broader web-browsing activity to a specific individual.
Misrepresentation of Compliance with Safe Harbor Principles
Myspace certified that it complied with the U.S.-EU Safe Harbor principles, which include a requirement that consumers be given notice of how their information will be used and the choice to opt out.
The FTC alleged that the way in which Myspace handled personal information was inconsistent with its representations of compliance with the Safe Harbor principles.
Proposed Settlement
The proposed settlement order would:
- Bar Myspace from misrepresenting the extent to which it
protects the privacy of users’ personal information
- Bar Myspace from misrepresenting the extent to which it belongs to or complies with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor Framework.
- Require Myspace to establish a comprehensive privacy program designed to protect consumers’ information;
- Require Myspace to obtain biennial assessments of its privacy program by independent, third party auditors for 20 years.
- Expose Myspace to a civil penalty of up to $16,000 for each future violation, if any, of the consent order.
The proposed settlement is open for comments; it will be finalized and will become effective after the end of the comment period.