In Re FACEBOOK INTERNET TRACKING LITIGATION
Filing
157
THIRD AMENDED COMPLAINT (Public Version) against All Defendants. Filed by Brian K. Lentz, Perrin Aikens Davis, Matthew J. Vickery, Cynthia D. Quinn. (Attachments: #1 Exhibit A, #2 Exhibit B, #3 Exhibit C, #4 Exhibit D, #5 Exhibit E, #6 Exhibit F, #7 Exhibit G, #8 Exhibit H, #9 Exhibit I, #10 Exhibit J, #11 Exhibit K, #12 Exhibit L, #13 Exhibit M, #14 Exhibit N, #15 Exhibit O, #16 Exhibit P, #17 Exhibit Q, #18 Exhibit R, #19 Exhibit S, #20 Exhibit T, #21 Exhibit U (redacted), #22 Exhibit V (redacted), #23 Exhibit W (redacted), #24 Exhibit X (redacted), #25 Exhibit Y (redacted), #26 Exhibit Z (redacted), #27 Exhibit AA (redacted), #28 Exhibit BB (redacted), #29 Exhibit CC (redacted), #30 Exhibit DD (redacted), #31 Exhibit EE, #32 Exhibit FF (redacted), #33 Exhibit GG (redacted), #34 Exhibit HH (redacted), #35 Exhibit II (redacted), #36 Exhibit JJ, #37 Exhibit KK, #38 Exhibit LL (redacted), #39 Exhibit MM, #40 Exhibit NN, #41 Exhibit OO, #42 Exhibit PP)(Straite, David) (Filed on 8/25/2017) Modified on 8/25/2017 (cv, COURT STAFF).
<![CDATA[
Exhibit KK
UN ITED STATES OF AM ERICA
FEDERAL TRADE COMMISSION
W ASH IN GTO N , D .C. 20580
O ffice of the Secretary
July 27, 2012
Marc Rotenberg, Executive Director
Lillie Coney, Assistant Director
David Jacobs, Consumer Protection Fellow
Electronic Privacy Information Center
1718 Connecticut Ave., NW
Suite 200
Washington, DC 20009
Re:
In the Matter of Facebook Inc., File No. 0923184
Dear Mr. Rotenberg, Ms. Coney, and Mr. Jacobs:
Thank you for your comment on behalf of the Electronic Privacy Information Center
(“EPIC”) on the Federal Trade Commission’s consent agreement in the above-entitled
proceeding. The Commission has placed your comment on the public record pursuant to rule
4.9(b)(6)(ii) of the Commission’s Rules of Practice, 16 C.F.R. § 4.9(b)(6)(ii), and has given it
serious consideration.
The Commission thanks EPIC for its petitions and other correspondence about Facebook,
Inc.’s (“Facebook”) privacy practices, and appreciates its support of the proposed complaint.
The Commission is committed to safeguarding consumer privacy and believes that the proposed
order will advance this objective. In particular, the proposed order requires Facebook to
establish and maintain a comprehensive privacy program for all its products and services, and
obtain biennial privacy audits by an independent third-party professional. Further, the proposed
order requires Facebook to give clear and prominent notice and obtain a user’s affirmative
express consent prior to any sharing of the user’s “nonpublic user information”1 with any third
party, which materially exceeds the restrictions imposed by the user’s privacy setting(s). In
addition, the proposed order prohibits Facebook from misrepresenting the extent to which it
maintains the privacy or security of “covered information.”2 Should Facebook violate any term
1
“Nonpublic user information” is defined as “covered information that is restricted by one or more privacy
setting(s).”
2
“Covered information” is defined as “information from or about an individual consumer, including, but
not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city
or town; (c) an email address or other online contact information, such as an instant messaging user identifier or
screen name; (d) a mobile or other telephone number; (e) photos and videos; (f) Internet Protocol (“IP”) address,
User ID or other persistent identifier; (g) physical location; or (h) any information combined with any of (a) through
(g) above.”
of the final order, it could be liable for civil monetary penalties of up to $16,000 per violation
per day (pursuant to Section 5(l) of the FTC Act).
Your comment focuses on five key concerns, which we address, in turn, below:
(1) You ask the Commission to require Facebook to restore its privacy settings to those
available in December 2009.
The Commission believes such a change could cause significant consumer confusion.
The site has evolved substantially since December 2009, and it is not clear that users would
understand how their settings had been altered. Accordingly, the Commission believes that
under these circumstances the most sensible approach is to ensure that Facebook does not
misrepresent the privacy of user information going forward, that Facebook obtains affirmative
consent from users prior to sharing information in a manner that materially exceeds their privacy
settings, and that it establishes and maintains a comprehensive privacy program.
(2) You urge the Commission to prohibit Facebook from creating facial recognition
profiles without users’ express consent.
The comprehensive privacy program described above will require Facebook to
implement practices that are appropriate to the sensitivity of the “covered information” in
question, which is very broadly defined in the order and would include biometric data.
Moreover, the biennial audits of its privacy practices will help ensure that Facebook lives up to
these obligations. Although the order does not specifically require that Facebook obtain a user’s
consent for the creation of facial recognition data, the order’s broad prohibition on deception is
designed to ensure that Facebook will be truthful with users about such practices. Likewise, the
affirmative express consent requirement, described above, is designed to ensure that Facebook
upholds privacy settings that it offers to users to protect such information.
(3) You ask the Commission to make public the assessments required by the proposed
order to the maximum extent permitted by law.
The Commission recognizes the public interest in understanding and evaluating a
company’s compliance with the law. The public may seek access to the third-party assessments
required by the order by making a request under the Freedom of Information Act.3 However, the
third-party assessments may contain trade secrets or other confidential commercial or financial
information, or information about consumers or other third parties that the Commission may not
publicly disclose.4 Upon receipt of a request for confidential treatment of all or part of the thirdparty assessments, the Commission will conduct a careful review to determine whether
confidential treatment is warranted. We will make every effort to be transparent regarding these
3
5 U.S.C. § 552 et seq.
4
See 15 U.S.C. § 46(f) (“the Commission shall not have any authority to make public any trade secret or
any commercial or financial information which is obtained from any person and which is privileged or
confidential”); Commission Rule of Practice § 4.10.
2
assessments, consistent with the applicable law. If the FTC determines that the assessments
have been frequently requested or are likely to be frequently requested because of the their
subject matter, the agency will post such portions as may be released to the public on the FTC’s
website.5
(4) You request that the Commission require Facebook to give its users the right to
access the data Facebook keeps about them.
Although the order does not contain an access requirement, it does provide users with
meaningful rights to control their data. In particular, regarding the deletion of users’
information, the proposed order requires Facebook to (1) implement reasonable procedures to
ensure that deleted data cannot be accessed by third parties after a reasonable period of time, not
to exceed thirty days, following its deletion and (2) as part of its comprehensive privacy
program, consider and address any reasonably foreseeable, material privacy risks related to its
retention of users’ covered information.
(5) Finally, you highlight your concerns with several of Facebook’s current features and
business practices, including Timeline, tracking of logged-out users, behavioral tracking and
analysis, and tagging.
Although the proposed complaint does not contain allegations specifically addressing
these specific issues, it does allege that Facebook violated Section 5 of the FTC Act by falsely
representing to users the protections provided by their privacy settings, by making other false
promises regarding privacy, and by making material, retroactive changes to users’ privacy
settings without users’ consent. Accordingly, the proposed order contains provisions, described
above, designed to prevent Facebook from engaging in similar practices involving any Facebook
product or service. These provisions are broad enough to address misconduct beyond that
expressly challenged in the complaint.
In light of these considerations, the Commission has determined that the public interest
would best be served by issuing the Decision and Order in final form without any modifications.
The final Decision and Order and other relevant materials are available from the Commission’s
website at http://www.ftc.gov. It helps the Commission’s analysis to hear from a variety of
sources in its work. The Commission thanks you again for your comment.
By direction of the Commission, Commissioner Rosch dissenting and Commissioner
Ohlhausen not participating.
Donald S. Clark
Secretary
5
See 5 U.S.C. § 552(a)(2)(D) .
3
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
