MySpace Consent Order
Last week, the Federal Trade Commission (the "FTC") and MySpace agreed to a proposed consent order regarding MySpace's violation of its own website privacy policy. MySpace's policy stated that it would not use or share a member's personally identifiable information ("PII") except as described in the policy and that the cookies feature, which enables content-specific advertisements to be delivered to the member on the site, would not provide such information to third parties. The policy also stated that MySpace complied with the US-EU Safe Harbor Framework.
The problem was that MySpace provided a member's "Friend ID" to advertisers. The Friend ID is a computer-generated series of numbers, which is part of the member's page URL. When a MySpace page loads, MySpace sends a request to the ad network to load an ad. Along with that request, MySpace also transmitted the Friend ID, age and gender of the user. While the Friend ID does not itself include any PII, advertisers could view all public information posted on a member's page and "sync" the Friend ID to such information. The result is that third-parties were able to obtain PII if they wanted to. The advertiser also had the ability to view the websites the member has visited by linking the personal information it obtained via MySpace with information it obtained through its own tracking cookie. MySpace's privacy policy, however, had promised not to use or share a member's PII unless it received permission first.
The proposed consent order sets forth that MySpace may not misrepresent the privacy or confidentiality of a consumer's "covered information." Such information includes (but is not limited to): first and last name; home or other physical address; e-mail address or other online contact information; telephone number; photos and videos; IP address, user ID, device ID or other persistent identifier; list of contacts; and physical location. The consent order also prohibits MySpace from misrepresenting its adherence to any privacy policy or program, such as the US-EU Safe Harbor Framework. Additionally, the consent order mandates that MySpace implement a comprehensive privacy program, and provides for external audits of such program and practices every two years for the next twenty years.
What's Old and New About the Order
The proposed order is generally consistent with previous orders entered into between the FTC and Google and the FTC and Facebook. The FTC has always maintained that your privacy policy must be complete, accurate and current: the policy should say what you DO with covered information and what you do NOT do with covered information. And, you must DO what the policy says you will do and NOT do what the policy says you will not do. What is noteworthy about the MySpace case is that MySpace did not directly provide covered information to the advertisers. Nevertheless, the Consent Order defines "covered information" broadly to include a persistent identifier, such as the Friend ID, because the Friend ID made other covered information accessible to the advertisers.
The proposed MySpace consent order includes the following required features of a comprehensive privacy program:
- Individual designated as responsible for the program;
- Identification of "reasonably foreseeable, material risks, both internal and external, that could result in. . . unauthorized collection, use, or disclosure of covered information", as well as evaluation of safeguards implemented to control such risks "in each area of relevant operation", such as employee training and product research and development;
- Implementation of "reasonable privacy controls and procedures" to address the risks identified above, as well as regular monitoring or testing of such controls and procedures;
- Requiring service providers by contract to protect covered information and using reasonable due diligence and monitoring to ensure service provider capability to do so; and
- Ongoing evaluation and revision of the privacy program through testing and monitoring, whenever these are material changes in operations or business arrangements, or "any other circumstances that . . . may have a material impact on the effectiveness of [the] privacy program."
What the Order Means to Your Business
A number of lessons can be learned from the MySpace example. Accordingly, if your business operates a website that is interactive with consumers, you should:
- review your privacy policy and your privacy practices regularly;
- review your privacy policy each time that consumer information may be disclosed to third parties, or otherwise made accessible to third parties, due to a new practice, website use, vendor contract, operational change or otherwise;
- include operational people in the review so that all actual and potential uses or disclosure of covered information can be properly identified;
- check your default settings in terms of what user information is publicly accessible and provide a meaningful choice to users;
- determine whether a third party can indirectly gain access to a user's PII; and
- appoint a centralized privacy function or employee and develop an internal privacy program or plan that ensures proper use of covered information consistent with the posted privacy policy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.